SV.LDAP
This error is detected when unchecked user input is used for the filter part of a LDAP query.
As of release 2023.2, this checker supports Jakarta EE.
Mitigation and prevention
The prevention of LDAP injection attacks can be achieved by validating any and all input from outside the application (user input, file input, system parameters, etc.). The best way to filter user data is with a blacklist regular expression that includes only the type of characters that are allowed. Make the LDAP query filters as specific as possible. If you need to allow the use of any special symbols, make sure to escape them.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Example 1
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
try {
String filter = req.getParameter("filter");
NamingEnumeration<SearchResult> namingEnumeration = context.search(name, filter, null);
while (namingEnumeration.hasMore()) {
SearchResult searchResult = namingEnumeration.next();
Attribute attribute = searchResult.getAttributes().get("");
if (ATTRIBUTE_TYPE.equals(attribute.getID())) {
resp.getOutputStream().println(attribute.get() + ";");
}
}
} catch (NamingException e) {
throw new ServletException("LDAP failure", e);
}
}SV.LDAP is reported for line 27: unvalidated user input is stored in 'filter' on line 26 which is used as a LDAP filter. This filter could contain arbitrary content and makes the server vulnerable to an LDAP injection attack.
External guidance
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.
