rspec/rules/S2078/java/how-to-fix-it/java-se.adoc

== How to fix it in Java SE

=== Code examples

The following noncompliant code is vulnerable to LDAP injections because untrusted data is
concatenated to an LDAP query without prior sanitization or validation.

==== Noncompliant code example

[source,java,diff-id=1,diff-type=noncompliant]
----
public boolean authenticate(HttpServletRequest req, DirContext ctx) throws NamingException {
  String user = req.getParameter("user");
  String pass = req.getParameter("pass");

  String filter = "(&(uid=" + user + ")(userPassword=" + pass + "))";

  NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new SearchControls());
  return results.hasMore();
}
----

==== Compliant solution

[source,java,diff-id=1,diff-type=compliant]
----
public boolean authenticate(HttpServletRequest req, DirContext ctx) throws NamingException {
  String user = req.getParameter("user");
  String pass = req.getParameter("pass");

  String filter = "(&(uid={0})(userPassword={1}))";

  NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new String[]{user, pass}, new SearchControls());
  return results.hasMore();
}
----

=== How does this work?

include::../../common/fix/validation.adoc[]

For Java, OWASP's functions
https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html#encodeForDN-java.lang.String-[`encodeForDN`]
and
https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html#encodeForLDAP-java.lang.String-[`encodeForLDAP`]
allow sanitizing these characters automatically.

In the compliant solution example, the `search` function allows to safely parameterize the query.