include::../description.adoc[]

== Noncompliant Code Example

----
public boolean authenticate(javax.servlet.http.HttpServletRequest request, DirContext ctx) throws NamingException { 
  String user = request.getParameter("user"); 
  String pass = request.getParameter("pass"); 

  String filter = "(&(uid=" + user + ")(userPassword=" + pass + "))"; // Unsafe 

  // If the special value "*)(uid=*))(|(uid=*" is passed as user, authentication is bypassed 
  // Indeed, if it is passed as a user, the filter becomes: 
  // (&(uid=*)(uid=*))(|(uid=*)(userPassword=...))
  // as uid=* match all users, it is equivalent to:
  // (|(uid=*)(userPassword=...))
  // again, as uid=* match all users, the filter becomes useless

  NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new SearchControls()); // Noncompliant
  return results.hasMore();
}
----

== Compliant Solution

----
public boolean authenticate(javax.servlet.http.HttpServletRequest request, DirContext ctx) throws NamingException { 
  String user = request.getParameter("user"); 
  String pass = request.getParameter("pass"); 

  String filter = "(&(uid={0})(userPassword={1}))"; // Safe

  NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new String[]{user, pass}, new SearchControls());
  return results.hasMore();
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]