Skip to content

Commit 581d496

Browse files
aschackmullaschackmull
committed
Java: Fix LdapInjection qltest
1 parent 48e4759 commit 581d496

File tree

6 files changed

+319
-228
lines changed

6 files changed

+319
-228
lines changed

java/ql/test/query-tests/security/CWE-090/LdapInjection.expected

Lines changed: 227 additions & 227 deletions
Large diffs are not rendered by default.

java/ql/test/query-tests/security/CWE-090/LdapInjection.java

Lines changed: 58 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,273 +34,327 @@
3434
import org.springframework.ldap.support.LdapEncoder;
3535
import org.springframework.ldap.support.LdapNameBuilder;
3636
import org.springframework.ldap.support.LdapUtils;
37+
import org.springframework.stereotype.Controller;
3738
import org.springframework.web.bind.annotation.RequestParam;
39+
import org.springframework.web.bind.annotation.RequestMapping;
3840

41+
@Controller
3942
public class LdapInjection {
4043
// JNDI
44+
@RequestMapping
4145
public void testJndiBad1(@RequestParam String jBad, @RequestParam String jBadDN, DirContext ctx)
4246
throws NamingException {
4347
ctx.search("ou=system" + jBadDN, "(uid=" + jBad + ")", new SearchControls());
4448
}
4549

50+
@RequestMapping
4651
public void testJndiBad2(@RequestParam String jBad, @RequestParam String jBadDNName, InitialDirContext ctx)
4752
throws NamingException {
4853
ctx.search(new LdapName("ou=system" + jBadDNName), "(uid=" + jBad + ")", new SearchControls());
4954
}
5055

56+
@RequestMapping
5157
public void testJndiBad3(@RequestParam String jBad, @RequestParam String jOkDN, LdapContext ctx)
5258
throws NamingException {
5359
ctx.search(new LdapName(List.of(new Rdn("ou=" + jOkDN))), "(uid=" + jBad + ")", new SearchControls());
5460
}
5561

62+
@RequestMapping
5663
public void testJndiBad4(@RequestParam String jBadInitial, InitialLdapContext ctx)
5764
throws NamingException {
5865
ctx.search("ou=system", "(uid=" + jBadInitial + ")", new SearchControls());
5966
}
6067

68+
@RequestMapping
6169
public void testJndiBad5(@RequestParam String jBad, @RequestParam String jBadDNNameAdd, InitialDirContext ctx)
6270
throws NamingException {
6371
ctx.search(new LdapName("").addAll(new LdapName("ou=system" + jBadDNNameAdd)), "(uid=" + jBad + ")", new SearchControls());
6472
}
6573

74+
@RequestMapping
6675
public void testJndiBad6(@RequestParam String jBad, @RequestParam String jBadDNNameAdd2, InitialDirContext ctx)
6776
throws NamingException {
6877
LdapName name = new LdapName("");
6978
name.addAll(new LdapName("ou=system" + jBadDNNameAdd2).getRdns());
7079
ctx.search(new LdapName("").addAll(name), "(uid=" + jBad + ")", new SearchControls());
7180
}
7281

82+
@RequestMapping
7383
public void testJndiBad7(@RequestParam String jBad, @RequestParam String jBadDNNameToString, InitialDirContext ctx)
7484
throws NamingException {
7585
ctx.search(new LdapName("ou=system" + jBadDNNameToString).toString(), "(uid=" + jBad + ")", new SearchControls());
7686
}
7787

88+
@RequestMapping
7889
public void testJndiBad8(@RequestParam String jBad, @RequestParam String jBadDNNameClone, InitialDirContext ctx)
7990
throws NamingException {
8091
ctx.search((Name) new LdapName("ou=system" + jBadDNNameClone).clone(), "(uid=" + jBad + ")", new SearchControls());
8192
}
8293

94+
@RequestMapping
8395
public void testJndiOk1(@RequestParam String jOkFilterExpr, DirContext ctx) throws NamingException {
8496
ctx.search("ou=system", "(uid={0})", new String[] { jOkFilterExpr }, new SearchControls());
8597
}
8698

99+
@RequestMapping
87100
public void testJndiOk2(@RequestParam String jOkAttribute, DirContext ctx) throws NamingException {
88101
ctx.search("ou=system", new BasicAttributes(jOkAttribute, jOkAttribute));
89102
}
90103

91104
// UnboundID
105+
@RequestMapping
92106
public void testUnboundBad1(@RequestParam String uBad, @RequestParam String uBadDN, LDAPConnection c)
93107
throws LDAPSearchException {
94108
c.search(null, "ou=system" + uBadDN, null, null, 1, 1, false, "(uid=" + uBad + ")");
95109
}
96110

111+
@RequestMapping
97112
public void testUnboundBad2(@RequestParam String uBadFilterCreate, LDAPConnection c) throws LDAPException {
98113
c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreate));
99114
}
100115

116+
@RequestMapping
101117
public void testUnboundBad3(@RequestParam String uBadROSearchRequest, @RequestParam String uBadROSRDN,
102118
LDAPConnection c) throws LDAPException {
103119
ReadOnlySearchRequest s = new SearchRequest(null, "ou=system" + uBadROSRDN, null, null, 1, 1, false,
104120
"(uid=" + uBadROSearchRequest + ")");
105121
c.search(s);
106122
}
107123

124+
@RequestMapping
108125
public void testUnboundBad4(@RequestParam String uBadSearchRequest, @RequestParam String uBadSRDN, LDAPConnection c)
109126
throws LDAPException {
110127
SearchRequest s = new SearchRequest(null, "ou=system" + uBadSRDN, null, null, 1, 1, false,
111128
"(uid=" + uBadSearchRequest + ")");
112129
c.search(s);
113130
}
114131

132+
@RequestMapping
115133
public void testUnboundBad5(@RequestParam String uBad, @RequestParam String uBadDNSFR, LDAPConnection c)
116134
throws LDAPSearchException {
117135
c.searchForEntry("ou=system" + uBadDNSFR, null, null, 1, false, "(uid=" + uBad + ")");
118136
}
119137

138+
@RequestMapping
120139
public void testUnboundBad6(@RequestParam String uBadROSearchRequestAsync, @RequestParam String uBadROSRDNAsync,
121140
LDAPConnection c) throws LDAPException {
122141
ReadOnlySearchRequest s = new SearchRequest(null, "ou=system" + uBadROSRDNAsync, null, null, 1, 1, false,
123142
"(uid=" + uBadROSearchRequestAsync + ")");
124143
c.asyncSearch(s);
125144
}
126145

146+
@RequestMapping
127147
public void testUnboundBad7(@RequestParam String uBadSearchRequestAsync, @RequestParam String uBadSRDNAsync, LDAPConnection c)
128148
throws LDAPException {
129149
SearchRequest s = new SearchRequest(null, "ou=system" + uBadSRDNAsync, null, null, 1, 1, false,
130150
"(uid=" + uBadSearchRequestAsync + ")");
131151
c.asyncSearch(s);
132152
}
133153

154+
@RequestMapping
134155
public void testUnboundBad8(@RequestParam String uBadFilterCreateNOT, LDAPConnection c) throws LDAPException {
135156
c.search(null, "ou=system", null, null, 1, 1, false, Filter.createNOTFilter(Filter.create(uBadFilterCreateNOT)));
136157
}
137158

159+
@RequestMapping
138160
public void testUnboundBad9(@RequestParam String uBadFilterCreateToString, LDAPConnection c) throws LDAPException {
139161
c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreateToString).toString());
140162
}
141163

164+
@RequestMapping
142165
public void testUnboundBad10(@RequestParam String uBadFilterCreateToStringBuffer, LDAPConnection c) throws LDAPException {
143166
StringBuilder b = new StringBuilder();
144167
Filter.create(uBadFilterCreateToStringBuffer).toNormalizedString(b);
145168
c.search(null, "ou=system", null, null, 1, 1, false, b.toString());
146169
}
147-
170+
171+
@RequestMapping
148172
public void testUnboundBad11(@RequestParam String uBadSearchRequestDuplicate, LDAPConnection c)
149173
throws LDAPException {
150174
SearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false,
151175
"(uid=" + uBadSearchRequestDuplicate + ")");
152176
c.search(s.duplicate());
153177
}
154178

179+
@RequestMapping
155180
public void testUnboundBad12(@RequestParam String uBadROSearchRequestDuplicate, LDAPConnection c)
156181
throws LDAPException {
157182
ReadOnlySearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false,
158183
"(uid=" + uBadROSearchRequestDuplicate + ")");
159184
c.search(s.duplicate());
160185
}
161186

187+
@RequestMapping
162188
public void testUnboundBad13(@RequestParam String uBadSearchRequestSetDN, LDAPConnection c)
163189
throws LDAPException {
164190
SearchRequest s = new SearchRequest(null, "", null, null, 1, 1, false, "");
165191
s.setBaseDN(uBadSearchRequestSetDN);
166192
c.search(s);
167193
}
168194

195+
@RequestMapping
169196
public void testUnboundBad14(@RequestParam String uBadSearchRequestSetFilter, LDAPConnection c)
170197
throws LDAPException {
171198
SearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false, "");
172199
s.setFilter(uBadSearchRequestSetFilter);
173200
c.search(s);
174201
}
175202

203+
@RequestMapping
176204
public void testUnboundOk1(@RequestParam String uOkEqualityFilter, LDAPConnection c) throws LDAPSearchException {
177205
c.search(null, "ou=system", null, null, 1, 1, false, Filter.createEqualityFilter("uid", uOkEqualityFilter));
178206
}
179207

208+
@RequestMapping
180209
public void testUnboundOk2(@RequestParam String uOkVaragsAttr, LDAPConnection c) throws LDAPSearchException {
181210
c.search("ou=system", null, null, 1, 1, false, "(uid=fixed)", "a" + uOkVaragsAttr);
182211
}
183212

213+
@RequestMapping
184214
public void testUnboundOk3(@RequestParam String uOkFilterSearchRequest, LDAPConnection c) throws LDAPException {
185215
SearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false,
186216
Filter.createEqualityFilter("uid", uOkFilterSearchRequest));
187217
c.search(s);
188218
}
189219

220+
@RequestMapping
190221
public void testUnboundOk4(@RequestParam String uOkSearchRequestVarargs, LDAPConnection c) throws LDAPException {
191222
SearchRequest s = new SearchRequest("ou=system", null, "(uid=fixed)", "va1", "va2", "va3",
192223
"a" + uOkSearchRequestVarargs);
193224
c.search(s);
194225
}
195226

196227
// Spring LDAP
228+
@RequestMapping
197229
public void testSpringBad1(@RequestParam String sBad, @RequestParam String sBadDN, LdapTemplate c) {
198230
c.search("ou=system" + sBadDN, "(uid=" + sBad + ")", 1, false, null);
199231
}
200232

233+
@RequestMapping
201234
public void testSpringBad2(@RequestParam String sBad, @RequestParam String sBadDNLNBuilder, LdapTemplate c) {
202235
c.authenticate(LdapNameBuilder.newInstance("ou=system" + sBadDNLNBuilder).build(), "(uid=" + sBad + ")", "pass");
203236
}
204237

238+
@RequestMapping
205239
public void testSpringBad3(@RequestParam String sBad, @RequestParam String sBadDNLNBuilderAdd, LdapTemplate c) {
206240
c.searchForObject(LdapNameBuilder.newInstance().add("ou=system" + sBadDNLNBuilderAdd).build(), "(uid=" + sBad + ")", null);
207241
}
208242

243+
@RequestMapping
209244
public void testSpringBad4(@RequestParam String sBadLdapQuery, LdapTemplate c) {
210245
c.findOne(LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery + ")"), null);
211246
}
212247

248+
@RequestMapping
213249
public void testSpringBad5(@RequestParam String sBadFilter, @RequestParam String sBadDNLdapUtils, LdapTemplate c) {
214250
c.find(LdapUtils.newLdapName("ou=system" + sBadDNLdapUtils), new HardcodedFilter("(uid=" + sBadFilter + ")"), null, null);
215251
}
216252

253+
@RequestMapping
217254
public void testSpringBad6(@RequestParam String sBadLdapQuery, LdapTemplate c) {
218255
c.searchForContext(LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery + ")"));
219256
}
220257

258+
@RequestMapping
221259
public void testSpringBad7(@RequestParam String sBadLdapQuery2, LdapTemplate c) {
222260
LdapQuery q = LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery2 + ")");
223261
c.searchForContext(q);
224262
}
225263

264+
@RequestMapping
226265
public void testSpringBad8(@RequestParam String sBadLdapQueryWithFilter, LdapTemplate c) {
227266
c.searchForContext(LdapQueryBuilder.query().filter(new HardcodedFilter("(uid=" + sBadLdapQueryWithFilter + ")")));
228267
}
229268

269+
@RequestMapping
230270
public void testSpringBad9(@RequestParam String sBadLdapQueryWithFilter2, LdapTemplate c) {
231271
org.springframework.ldap.filter.Filter f = new HardcodedFilter("(uid=" + sBadLdapQueryWithFilter2 + ")");
232272
c.searchForContext(LdapQueryBuilder.query().filter(f));
233273
}
234274

275+
@RequestMapping
235276
public void testSpringBad10(@RequestParam String sBadLdapQueryBase, LdapTemplate c) {
236277
c.find(LdapQueryBuilder.query().base(sBadLdapQueryBase).base(), null, null, null);
237278
}
238279

280+
@RequestMapping
239281
public void testSpringBad11(@RequestParam String sBadLdapQueryComplex, LdapTemplate c) {
240282
c.searchForContext(LdapQueryBuilder.query().base(sBadLdapQueryComplex).where("uid").is("test"));
241283
}
242284

285+
@RequestMapping
243286
public void testSpringBad12(@RequestParam String sBadFilterToString, LdapTemplate c) {
244287
c.search("", new HardcodedFilter("(uid=" + sBadFilterToString + ")").toString(), 1, false, null);
245288
}
246289

290+
@RequestMapping
247291
public void testSpringBad13(@RequestParam String sBadFilterEncode, LdapTemplate c) {
248292
StringBuffer s = new StringBuffer();
249293
new HardcodedFilter("(uid=" + sBadFilterEncode + ")").encode(s);
250294
c.search("", s.toString(), 1, false, null);
251295
}
252296

297+
@RequestMapping
253298
public void testSpringOk1(@RequestParam String sOkLdapQuery, LdapTemplate c) {
254299
c.find(LdapQueryBuilder.query().filter("(uid={0})", sOkLdapQuery), null);
255300
}
256301

302+
@RequestMapping
257303
public void testSpringOk2(@RequestParam String sOkFilter, @RequestParam String sOkDN, LdapTemplate c) {
258304
c.find(LdapNameBuilder.newInstance().add("ou", sOkDN).build(), new EqualsFilter("uid", sOkFilter), null, null);
259305
}
260306

307+
@RequestMapping
261308
public void testSpringOk3(@RequestParam String sOkLdapQuery, @RequestParam String sOkPassword, LdapTemplate c) {
262309
c.authenticate(LdapQueryBuilder.query().filter("(uid={0})", sOkLdapQuery), sOkPassword);
263310
}
264311

265312
// Apache LDAP API
313+
@RequestMapping
266314
public void testApacheBad1(@RequestParam String aBad, @RequestParam String aBadDN, LdapConnection c)
267315
throws LdapException {
268316
c.search("ou=system" + aBadDN, "(uid=" + aBad + ")", null);
269317
}
270318

319+
@RequestMapping
271320
public void testApacheBad2(@RequestParam String aBad, @RequestParam String aBadDNObjToString, LdapNetworkConnection c)
272321
throws LdapException {
273322
c.search(new Dn("ou=system" + aBadDNObjToString).getName(), "(uid=" + aBad + ")", null);
274323
}
275324

325+
@RequestMapping
276326
public void testApacheBad3(@RequestParam String aBadSearchRequest, LdapConnection c)
277327
throws LdapException {
278328
org.apache.directory.api.ldap.model.message.SearchRequest s = new SearchRequestImpl();
279329
s.setFilter("(uid=" + aBadSearchRequest + ")");
280330
c.search(s);
281331
}
282332

333+
@RequestMapping
283334
public void testApacheBad4(@RequestParam String aBadSearchRequestImpl, @RequestParam String aBadDNObj, LdapConnection c)
284335
throws LdapException {
285336
SearchRequestImpl s = new SearchRequestImpl();
286337
s.setBase(new Dn("ou=system" + aBadDNObj));
287338
c.search(s);
288339
}
289340

341+
@RequestMapping
290342
public void testApacheBad5(@RequestParam String aBadDNSearchRequestGet, LdapConnection c)
291343
throws LdapException {
292344
org.apache.directory.api.ldap.model.message.SearchRequest s = new SearchRequestImpl();
293345
s.setBase(new Dn("ou=system" + aBadDNSearchRequestGet));
294346
c.search(s.getBase(), "(uid=test", null);
295347
}
296348

349+
@RequestMapping
297350
public void testApacheOk1(@RequestParam String aOk, LdapConnection c)
298351
throws LdapException {
299352
org.apache.directory.api.ldap.model.message.SearchRequest s = new SearchRequestImpl();
300353
s.setFilter(new EqualityNode<String>("uid", aOk));
301354
c.search(s);
302355
}
303356

357+
@RequestMapping
304358
public void testApacheOk2(@RequestParam String aOk, LdapConnection c)
305359
throws LdapException {
306360
SearchRequestImpl s = new SearchRequestImpl();
@@ -309,17 +363,20 @@ public void testApacheOk2(@RequestParam String aOk, LdapConnection c)
309363
}
310364

311365
// ESAPI encoder sanitizer
366+
@RequestMapping
312367
public void testOk3(@RequestParam String okEncodeForLDAP, DirContext ctx) throws NamingException {
313368
Encoder encoder = DefaultEncoder.getInstance();
314369
ctx.search("ou=system", "(uid=" + encoder.encodeForLDAP(okEncodeForLDAP) + ")", new SearchControls());
315370
}
316371

317372
// Spring LdapEncoder sanitizer
373+
@RequestMapping
318374
public void testOk4(@RequestParam String okFilterEncode, DirContext ctx) throws NamingException {
319375
ctx.search("ou=system", "(uid=" + LdapEncoder.filterEncode(okFilterEncode) + ")", new SearchControls());
320376
}
321377

322378
// UnboundID Filter.encodeValue sanitizer
379+
@RequestMapping
323380
public void testOk5(@RequestParam String okUnboundEncodeValue, DirContext ctx) throws NamingException {
324381
ctx.search("ou=system", "(uid=" + Filter.encodeValue(okUnboundEncodeValue) + ")", new SearchControls());
325382
}

java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Component.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
package org.springframework.stereotype;
2+
3+
import java.lang.annotation.*;
4+
5+
@Target(value=ElementType.TYPE)
6+
@Retention(value=RetentionPolicy.RUNTIME)
7+
@Documented
8+
@Indexed
9+
public @interface Component { }

java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Controller.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
package org.springframework.stereotype;
2+
3+
import java.lang.annotation.*;
4+
5+
@Target(value=ElementType.TYPE)
6+
@Retention(value=RetentionPolicy.RUNTIME)
7+
@Documented
8+
@Component
9+
public @interface Controller { }

java/ql/test/stubs/springframework-5.2.3/org/springframework/stereotype/Indexed.java

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
package org.springframework.stereotype;
2+
3+
import java.lang.annotation.*;
4+
5+
@Target(value=ElementType.TYPE)
6+
@Retention(value=RetentionPolicy.RUNTIME)
7+
@Documented
8+
public @interface Indexed { }

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestMapping.java

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
package org.springframework.web.bind.annotation;
2+
3+
import java.lang.annotation.*;
4+
5+
@Target(value={ElementType.METHOD,ElementType.TYPE})
6+
@Retention(value=RetentionPolicy.RUNTIME)
7+
@Documented
8+
public @interface RequestMapping { }

0 commit comments

Comments
 (0)