JAVA.INSEC.LDAP.POISON : Potential LDAP Poisoning (Java)

Queries against LDAP databases return objects representing data stored in the database. Modifications to such objects should not be reflected into actual updates to the database, or otherwise everybody holding a reference to such objects might corrupt the database, in a kind of attack known as LDAP poisoning. This checker identifies such situations. Transactions without access control and authentication can be made with an un-authenticated LDAP connection. The checker warns about these issue too.

プロパティ

例

import java.util.ArrayList;
import java.util.List;
import java.util.Properties;

import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;

import com.juliasoft.julia.extraction.EntryPoint;

public class LdapPoisoning {

  public @EntryPoint List<Object> search(int controls, String[] attributes, String base, String filter, String[] args)
                                      throws NamingException {
    LdapContext ctx = null;
    List<Object> result = new ArrayList<>();

    try {
      Properties env = createEnvironment();    
      ctx = new InitialLdapContext(env, null); // LDAP Authentication Disabled (Java) warning issued here 


      SearchControls ctls = new SearchControls();
      ctls.setSearchScope(controls);
      ctls.setReturningAttributes(attributes);
      ctls.setReturningObjFlag(true);          // Potential LDAP Poisoning (Java) warning issued here 

      NamingEnumeration<SearchResult> enm = ctx.search(base, filter, args, ctls);
      while (enm.hasMoreElements()) {
        SearchResult sr = enm.nextElement();
        result.add(sr.getObject());                /* Previous setReturningObjFlag(true) means that modifications 
                                                    * to the object returned by sr.getObject() can be reflected into the database.
                                                    */
      }
    }
    catch (NamingException ne) {
      throw ne;
    }
    finally {
      if (ctx != null)
        ctx.close();
    }

    return result;                                 /* 'result' list returned by search() contains   
                                                    * an object whose modifications can be reflected into the database.
                                                    */
  }

  public boolean exists(String dn) throws NamingException {
    Properties env = createEnvironment();
    LdapContext ctx = new InitialLdapContext(env, null);
    SearchControls ctls = new SearchControls();
    ctls.setSearchScope(SearchControls.OBJECT_SCOPE);
    ctls.setReturningAttributes(new String[0]);
    ctls.setReturningObjFlag(false);                            // ok: flag set to false 

    try {
      ctx.search(dn, "(objectClass=*)", ctls);
      return true;
    }
    catch (NameNotFoundException nne) {
      return false;
    }
  }

  protected Properties createEnvironment() {
    Properties env = new Properties();
    env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.setProperty(Context.PROVIDER_URL, "www.juliasoft.com");
    env.setProperty(Context.OBJECT_FACTORIES, "my.factory");
    env.setProperty(Context.SECURITY_PRINCIPAL, "user");
    env.setProperty(Context.SECURITY_CREDENTIALS, "verysecretpassword");
    env.setProperty(Context.SECURITY_AUTHENTICATION, "none"); // Disables authentication, leading to the "LDAP Authentication Disabled (Java)" warning above. 
    return env;
  }
}

解決法

Do not allow LDAP queries to return objects whose modification gets reflected into the database. Typically, a specific flag should not be set for such queries. Do not create un-authenticated LDAP connection.

関連のある設定ファイルパラメータ

設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。