57 lines
1.3 KiB
Plaintext
57 lines
1.3 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,python]
|
|
----
|
|
from flask import request
|
|
import ldap
|
|
|
|
@app.route("/user")
|
|
def user():
|
|
dn = request.args['dn']
|
|
username = request.args['username']
|
|
|
|
search_filter = "(&(objectClass=*)(uid="+username+"))"
|
|
ldap_connection = ldap.initialize("ldap://127.0.0.1:389")
|
|
user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter) # Noncompliant
|
|
return user[0]
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,python]
|
|
----
|
|
from flask import request
|
|
import ldap
|
|
import ldap.filter
|
|
import ldap.dn
|
|
|
|
@app.route("/user")
|
|
def user():
|
|
dn = "dc=%s" % ldap.dn.escape_dn_chars(request.args['dc']) # Escape distinguished names special characters
|
|
username = ldap.filter.escape_filter_chars(request.args['username']) # Escape search filters special characters
|
|
|
|
search_filter = "(&(objectClass=*)(uid="+username+"))"
|
|
ldap_connection = ldap.initialize("ldap://127.0.0.1:389")
|
|
user = ldap_connection.search_s(dn, ldap.SCOPE_SUBTREE, search_filter) # Compliant
|
|
return user[0]
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|