The prevention of LDAP injection attacks can be achieved by validating any and all input from outside the application (user input, file input, system parameters, etc.). The best way to filter user data is with a blacklist regular expression that includes only the type of characters that are allowed. Make the LDAP query filters as specific as possible. If you need to allow the use of any special symbols, make sure to escape them.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Example 1

24     protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
25         try {
26             String filter = req.getParameter("filter");
27             NamingEnumeration<SearchResult> namingEnumeration = context.search(name, filter, null);
28 
29             while (namingEnumeration.hasMore()) {
30                 SearchResult searchResult = namingEnumeration.next();
31                 Attribute attribute = searchResult.getAttributes().get("");
32                 if (ATTRIBUTE_TYPE.equals(attribute.getID())) {
33                     resp.getOutputStream().println(attribute.get() + ";");
34                 }
35 
36             }
37         } catch (NamingException e) {
38             throw new ServletException("LDAP failure", e);
39         }
40     }

SV.LDAP is reported for line 27: unvalidated user input is stored in 'filter' on line 26 which is used as a LDAP filter. This filter could contain arbitrary content and makes the server vulnerable to an LDAP injection attack.

Security guidelines

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.