- Java ldap query tool generator#
- Java ldap query tool archive#
- Java ldap query tool android#
- Java ldap query tool code#
The second example uses the OWASP ESAPI library to encode the user values before they are included in the DN and search filters. The LDAP query is executed using Java JNDI API. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query.
Java ldap query tool code#
In the following examples, the code accepts an “organization name” and a “username” from the user, which it uses to query LDAP. Alternatively, escape user input using an appropriate LDAP encoding method, for example: encodeForLDAP or encodeForDN from OWASP ESAPI, LdapEncoder.filterEncode or LdapEncoder.nameEncode from Spring LDAP, or Filter.encodeValue from UnboundID library. If possible build the LDAP query using framework helper methods, for example from Spring’s LdapQueryBuilder and LdapNameBuilder, instead of string concatenation. If user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries. TrustManager that accepts all certificatesĬlick to see the query in the CodeQL repository.XSLT transformation with user-controlled stylesheet.Whitespace contradicts operator precedence.User-controlled data used in permissions check.User-controlled data in arithmetic expression.User-controlled bypass of sensitive method.Use of externally-controlled format string.
Java ldap query tool generator#
Use of a predictable seed in a secure random number generator.Use of a potentially dangerous function.Use of a potentially broken or risky cryptographic algorithm.Use of a broken or risky cryptographic algorithm.
Java ldap query tool android#
Unsafe resource fetching in Android WebView.Uncontrolled data used in path expression.Uncontrolled data in arithmetic expression.Type mismatch on container modification.Time-of-check time-of-use race condition.Synchronization on boxed types or strings.Serialization methods do not match required signature.Serializable inner class of non-serializable class.Result of multiplication cast to wider type.Resolving XML external entity in user-controlled data.ReadResolve must have Object return type, not void.Race condition in socket authentication.Race condition in double-checked locking object initialization.Query built without neutralizing special characters.Query built from user-controlled sources.OGNL Expression Language statement with user-controlled input.Non-synchronized override of synchronized method.Non-final method invocation in constructor.Local information disclosure in a temporary directory.Leaking sensitive information through an implicit Intent.LDAP query built from user-controlled sources.Insertion of sensitive information into log files.
Information exposure through a stack trace.Incorrect absolute value of random number.Inconsistent synchronization of getter and setter.Inconsistent synchronization for writeObject().Improper validation of user-provided size used for array construction.Improper validation of user-provided array index.
Java ldap query tool archive#