JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.0p0 Hot Tips | CONFIDENTIAL | CodeSecure Inc |
An LDAP connection is set up without authentication.
Queries against LDAP databases return objects representing data stored in the database. Modifications to such objects should not be reflected into actual updates to the database, or otherwise everybody holding a reference to such objects might corrupt the database, in a kind of attack known as LDAP poisoning. This checker identifies such situations. Transactions without access control and authentication can be made with an un-authenticated LDAP connection. The checker warns about these issue too.
| Class Name | LDAP Authentication Disabled (Java) | ||||||
|---|---|---|---|---|---|---|---|
| Significance | security | ||||||
| Mnemonic | JAVA.INSEC.LDAP.DA | ||||||
| Categories |
|
||||||
| Availability | Available for Java only. |
||||||
| Enabling | Checks for this warning class are enabled by
default. To disable them, add the following WARNING_FILTER rule to the
project configuration file.
WARNING_FILTER += discard class="LDAP Authentication Disabled (Java)" |
Japanese (ja)
import java.util.ArrayList;
import java.util.List;
import java.util.Properties;
import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import com.juliasoft.julia.extraction.EntryPoint;
public class LdapPoisoning {
public @EntryPoint List<Object> search(int controls, String[] attributes, String base, String filter, String[] args)
throws NamingException {
LdapContext ctx = null;
List<Object> result = new ArrayList<>();
try {
Properties env = createEnvironment();
ctx = new InitialLdapContext(env, null); // LDAP Authentication Disabled (Java) warning issued here
SearchControls ctls = new SearchControls();
ctls.setSearchScope(controls);
ctls.setReturningAttributes(attributes);
ctls.setReturningObjFlag(true); // Potential LDAP Poisoning (Java) warning issued here
NamingEnumeration<SearchResult> enm = ctx.search(base, filter, args, ctls);
while (enm.hasMoreElements()) {
SearchResult sr = enm.nextElement();
result.add(sr.getObject()); /* Previous setReturningObjFlag(true) means that modifications
* to the object returned by sr.getObject() can be reflected into the database.
*/
}
}
catch (NamingException ne) {
throw ne;
}
finally {
if (ctx != null)
ctx.close();
}
return result; /* 'result' list returned by search() contains
* an object whose modifications can be reflected into the database.
*/
}
public boolean exists(String dn) throws NamingException {
Properties env = createEnvironment();
LdapContext ctx = new InitialLdapContext(env, null);
SearchControls ctls = new SearchControls();
ctls.setSearchScope(SearchControls.OBJECT_SCOPE);
ctls.setReturningAttributes(new String[0]);
ctls.setReturningObjFlag(false); // ok: flag set to false
try {
ctx.search(dn, "(objectClass=*)", ctls);
return true;
}
catch (NameNotFoundException nne) {
return false;
}
}
protected Properties createEnvironment() {
Properties env = new Properties();
env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.setProperty(Context.PROVIDER_URL, "www.juliasoft.com");
env.setProperty(Context.OBJECT_FACTORIES, "my.factory");
env.setProperty(Context.SECURITY_PRINCIPAL, "user");
env.setProperty(Context.SECURITY_CREDENTIALS, "verysecretpassword");
env.setProperty(Context.SECURITY_AUTHENTICATION, "none"); // Disables authentication, leading to the "LDAP Authentication Disabled (Java)" warning above.
return env;
}
}
Do not allow LDAP queries to return objects whose modification gets reflected into the database. Typically, a specific flag should not be set for such queries. Do not create un-authenticated LDAP connection.
The following configuration file parameters affect checks for this warning class.