Merge pull request #2651 from ggolawski/java-ldap-injection

Java LDAP Injection (CWE-90)

java/ql/src/Security/CWE/CWE-090/LdapInjection.qhelp

@@ -0,0 +1,63 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>If an LDAP query is built using string concatenation, and the
+components of the concatenation include user input, a user 
+is likely to be able to run malicious LDAP queries.</p>
+</overview>
+
+<recommendation>
+<p>If user input must be included in an LDAP query, it should be escaped to
+avoid a malicious user providing special characters that change the meaning
+of the query. If possible build the LDAP query using framework helper methods, for example
+from Spring's <code>LdapQueryBuilder</code> and <code>LdapNameBuilder</code>,
+instead of string concatenation. Alternatively, escape user input using an appropriate
+LDAP encoding method, for example: <code>encodeForLDAP</code> or <code>encodeForDN</code>
+from OWASP ESAPI, <code>LdapEncoder.filterEncode</code> or <code>LdapEncoder.nameEncode</code>
+from Spring LDAP, or <code>Filter.encodeValue</code> from UnboundID library.</p>
+</recommendation>
+
+<example>
+<p>In the following examples, the code accepts an "organization name" and a "username"
+from the user, which it uses to query LDAP.</p>
+
+<p>The first example concatenates the unvalidated and unencoded user input directly
+into both the DN (Distinguished Name) and the search filter used for the LDAP query.
+A malicious user could provide special characters to change the meaning of these
+queries, and search for a completely different set of values. The LDAP query is executed
+using Java JNDI API.
+</p>
+
+<p>The second example uses the OWASP ESAPI library to encode the user values
+before they are included in the DN and search filters. This ensures the meaning of
+the query cannot be changed by a malicious user.</p>
+
+<sample src="LdapInjectionJndi.java" />
+
+<p>The third example uses Spring <code>LdapQueryBuilder</code> to build an LDAP query. In addition to
+simplifying the building of complex search parameters, it also provides proper escaping of any
+unsafe characters in search filters. The DN is built using <code>LdapNameBuilder</code>, which also provides
+proper escaping.</p>
+
+<sample src="LdapInjectionSpring.java" />
+
+<p>The fourth example uses <code>UnboundID</code> classes, <code>Filter</code> and <code>DN</code>, to construct a safe filter and
+base DN.</p>
+
+<sample src="LdapInjectionUnboundId.java" />
+
+<p>The fifth example shows how to build a safe filter and DN using the Apache LDAP API.</p>
+
+<sample src="LdapInjectionApache.java" />
+</example>
+
+<references>
+<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html">LDAP Injection Prevention Cheat Sheet</a>.</li>
+<li>OWASP ESAPI: <a href="https://owasp.org/www-project-enterprise-security-api/">OWASP ESAPI</a>.</li>
+<li>Spring LdapQueryBuilder doc: <a href="https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html">LdapQueryBuilder</a>.</li>
+<li>Spring LdapNameBuilder doc: <a href="https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/support/LdapNameBuilder.html">LdapNameBuilder</a>.</li>
+<li>UnboundID: <a href="https://ldap.com/2018/05/04/understanding-and-defending-against-ldap-injection-attacks/">Understanding and Defending Against LDAP Injection Attacks</a>.</li>
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-090/LdapInjection.ql

@@ -0,0 +1,21 @@
+/**
+ * @name LDAP query built from user-controlled sources
+ * @description Building an LDAP query from user-controlled sources is vulnerable to insertion of
+ *              malicious LDAP code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/ldap-injection
+ * @tags security
+ *       external/cwe/cwe-090
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import LdapInjectionLib
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, LdapInjectionFlowConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "LDAP query might include code from $@.", source.getNode(),
+  "this user input"

java/ql/src/Security/CWE/CWE-090/LdapInjectionApache.java

@@ -0,0 +1,22 @@
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.api.ldap.model.name.Dn;
+import org.apache.directory.api.ldap.model.name.Rdn;
+import org.apache.directory.api.ldap.model.message.SearchRequest;
+import org.apache.directory.api.ldap.model.message.SearchRequestImpl;
+import static org.apache.directory.ldap.client.api.search.FilterBuilder.equal;
+
+public void ldapQueryGood(HttpServletRequest request, LdapConnection c) {
+  String organizationName = request.getParameter("organization_name");
+  String username = request.getParameter("username");
+
+  // GOOD: Organization name is encoded before being used in DN
+  Dn safeDn = new Dn(new Rdn("OU", "People"), new Rdn("O", organizationName));
+
+  // GOOD: User input is encoded before being used in search filter
+  String safeFilter = equal("username", username);
+  
+  SearchRequest searchRequest = new SearchRequestImpl();
+  searchRequest.setBase(safeDn);
+  searchRequest.setFilter(safeFilter);
+  c.search(searchRequest);
+}

java/ql/src/Security/CWE/CWE-090/LdapInjectionJndi.java

@@ -0,0 +1,34 @@
+import javax.naming.directory.DirContext;
+import org.owasp.esapi.Encoder;
+import org.owasp.esapi.reference.DefaultEncoder;
+
+public void ldapQueryBad(HttpServletRequest request, DirContext ctx) throws NamingException {
+  String organizationName = request.getParameter("organization_name");
+  String username = request.getParameter("username");
+
+  // BAD: User input used in DN (Distinguished Name) without encoding
+  String dn = "OU=People,O=" + organizationName;
+
+  // BAD: User input used in search filter without encoding
+  String filter = "username=" + userName;
+
+  ctx.search(dn, filter, new SearchControls());
+}
+
+public void ldapQueryGood(HttpServletRequest request, DirContext ctx) throws NamingException {
+  String organizationName = request.getParameter("organization_name");
+  String username = request.getParameter("username");
+
+  // ESAPI encoder
+  Encoder encoder = DefaultEncoder.getInstance();
+
+  // GOOD: Organization name is encoded before being used in DN
+  String safeOrganizationName = encoder.encodeForDN(organizationName);
+  String safeDn = "OU=People,O=" + safeOrganizationName;
+
+  // GOOD: User input is encoded before being used in search filter
+  String safeUsername = encoder.encodeForLDAP(username);
+  String safeFilter = "username=" + safeUsername;
+  
+  ctx.search(safeDn, safeFilter, new SearchControls());
+}

java/ql/src/Security/CWE/CWE-090/LdapInjectionLib.qll

@@ -0,0 +1,406 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import DataFlow
+import semmle.code.java.frameworks.Jndi
+import semmle.code.java.frameworks.UnboundId
+import semmle.code.java.frameworks.SpringLdap
+import semmle.code.java.frameworks.ApacheLdap
+
+/**
+ * A taint-tracking configuration for unvalidated user input that is used to construct LDAP queries.
+ */
+class LdapInjectionFlowConfig extends TaintTracking::Configuration {
+  LdapInjectionFlowConfig() { this = "LdapInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof LdapInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    ldapNameStep(node1, node2) or
+    ldapNameAddAllStep(node1, node2) or
+    ldapNameGetCloneStep(node1, node2) or
+    filterStep(node1, node2) or
+    filterToStringStep(node1, node2) or
+    unboundIdSearchRequestStep(node1, node2) or
+    unboundIdSearchRequestDuplicateStep(node1, node2) or
+    unboundIdSearchRequestSetStep(node1, node2) or
+    ldapQueryStep(node1, node2) or
+    ldapQueryBaseStep(node1, node2) or
+    ldapQueryBuilderStep(node1, node2) or
+    hardcodedFilterStep(node1, node2) or
+    springLdapFilterToStringStep(node1, node2) or
+    ldapNameBuilderStep(node1, node2) or
+    ldapNameBuilderBuildStep(node1, node2) or
+    ldapUtilsStep(node1, node2) or
+    apacheSearchRequestStep(node1, node2) or
+    apacheSearchRequestGetStep(node1, node2) or
+    apacheLdapDnStep(node1, node2) or
+    apacheLdapDnGetStep(node1, node2)
+  }
+}
+
+/**
+ * JNDI sink for LDAP injection vulnerabilities, i.e. 1st (DN) or 2nd (filter) argument to
+ * `search` method from `DirContext`.
+ */
+predicate jndiLdapInjectionSinkMethod(Method m, int index) {
+  m.getDeclaringType().getAnAncestor() instanceof TypeDirContext and
+  m.hasName("search") and
+  index in [0 .. 1]
+}
+
+/**
+ * UnboundID sink for LDAP injection vulnerabilities,
+ * i.e. LDAPConnection.search, LDAPConnection.asyncSearch or LDAPConnection.searchForEntry method.
+ */
+predicate unboundIdLdapInjectionSinkMethod(Method m, int index) {
+  exists(Parameter param | m.getParameter(index) = param and not param.isVarargs() |
+    m instanceof MethodUnboundIdLDAPConnectionSearch or
+    m instanceof MethodUnboundIdLDAPConnectionAsyncSearch or
+    m instanceof MethodUnboundIdLDAPConnectionSearchForEntry
+  )
+}
+
+/**
+ * Spring LDAP sink for LDAP injection vulnerabilities,
+ * i.e. LdapTemplate.authenticate, LdapTemplate.find* or LdapTemplate.search* method.
+ */
+predicate springLdapInjectionSinkMethod(Method m, int index) {
+  // LdapTemplate.authenticate, LdapTemplate.find* or LdapTemplate.search* method
+  (
+    m instanceof MethodSpringLdapTemplateAuthenticate or
+    m instanceof MethodSpringLdapTemplateFind or
+    m instanceof MethodSpringLdapTemplateFindOne or
+    m instanceof MethodSpringLdapTemplateSearch or
+    m instanceof MethodSpringLdapTemplateSearchForContext or
+    m instanceof MethodSpringLdapTemplateSearchForObject
+  ) and
+  (
+    // Parameter index is 1 (DN or query) or 2 (filter) if method is not authenticate
+    index in [0 .. 1] and
+    not m instanceof MethodSpringLdapTemplateAuthenticate
+    or
+    // But it's not the last parameter in case of authenticate method (last param is password)
+    index in [0 .. 1] and
+    index < m.getNumberOfParameters() - 1 and
+    m instanceof MethodSpringLdapTemplateAuthenticate
+  )
+}
+
+/** Apache LDAP API sink for LDAP injection vulnerabilities, i.e. LdapConnection.search method. */
+predicate apacheLdapInjectionSinkMethod(Method m, int index) {
+  exists(Parameter param | m.getParameter(index) = param and not param.isVarargs() |
+    m.getDeclaringType().getAnAncestor() instanceof TypeApacheLdapConnection and
+    m.hasName("search")
+  )
+}
+
+/** Holds if parameter at index `index` in method `m` is LDAP injection sink. */
+predicate ldapInjectionSinkMethod(Method m, int index) {
+  jndiLdapInjectionSinkMethod(m, index) or
+  unboundIdLdapInjectionSinkMethod(m, index) or
+  springLdapInjectionSinkMethod(m, index) or
+  apacheLdapInjectionSinkMethod(m, index)
+}
+
+/** A data flow sink for unvalidated user input that is used to construct LDAP queries. */
+class LdapInjectionSink extends DataFlow::ExprNode {
+  LdapInjectionSink() {
+    exists(MethodAccess ma, Method m, int index |
+      ma.getMethod() = m and
+      ma.getArgument(index) = this.getExpr() and
+      ldapInjectionSinkMethod(m, index)
+    )
+  }
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and `LdapName`,
+ * i.e. `new LdapName(tainted)`.
+ */
+predicate ldapNameStep(ExprNode n1, ExprNode n2) {
+  exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeLdapName |
+    n1.asExpr() = cc.getAnArgument() and
+    n2.asExpr() = cc
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `List<Rdn>` and `LdapName`,
+ * i.e. `new LdapName().addAll(tainted)`.
+ */
+predicate ldapNameAddAllStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma |
+    n1.asExpr() = ma.getAnArgument() and
+    (n2.asExpr() = ma or n2.asExpr() = ma.getQualifier())
+  |
+    ma.getMethod() instanceof MethodLdapNameAddAll
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `LdapName` and `LdapName` or
+ * `String`, i.e. `taintedLdapName.clone()`, `taintedLdapName.getAll()`,
+ * `taintedLdapName.getRdns()` or `taintedLdapName.toString()`.
+ */
+predicate ldapNameGetCloneStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getQualifier() and
+    n2.asExpr() = ma and
+    ma.getMethod() = m
+  |
+    m instanceof MethodLdapNameClone or
+    m instanceof MethodLdapNameGetAll or
+    m instanceof MethodLdapNameGetRdns or
+    m instanceof MethodLdapNameToString
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and UnboundID `Filter`,
+ * i.e. `Filter.create*(tainted)`.
+ */
+predicate filterStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getAnArgument() and
+    n2.asExpr() = ma and
+    ma.getMethod() = m
+  |
+    m instanceof MethodUnboundIdFilterCreate or
+    m instanceof MethodUnboundIdFilterCreateANDFilter or
+    m instanceof MethodUnboundIdFilterCreateNOTFilter or
+    m instanceof MethodUnboundIdFilterCreateORFilter or
+    m instanceof MethodUnboundIdFilterSimplifyFilter
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between UnboundID `Filter` and `String`,
+ * i.e. `taintedFilter.toString()` or `taintedFilter.toString(buffer)`.
+ */
+predicate filterToStringStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getQualifier() and
+    (n2.asExpr() = ma or n2.asExpr() = ma.getAnArgument())
+  |
+    ma.getMethod() = m and
+    m.getDeclaringType() instanceof TypeUnboundIdLdapFilter and
+    (m.hasName("toString") or m.hasName("toNormalizedString"))
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and UnboundID
+ * `SearchRequest`, i.e. `new SearchRequest(tainted)`.
+ */
+predicate unboundIdSearchRequestStep(ExprNode n1, ExprNode n2) {
+  exists(ConstructorCall cc, int index, Parameter param |
+    cc.getConstructedType() instanceof TypeUnboundIdSearchRequest
+  |
+    n1.asExpr() = cc.getArgument(index) and
+    n2.asExpr() = cc and
+    cc.getConstructor().getParameter(index) = param and
+    not param.isVarargs()
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between UnboundID `SearchRequest`
+ * and UnboundID `SearchRequest`, i.e. `taintedSearchRequest.duplicate()`.
+ */
+predicate unboundIdSearchRequestDuplicateStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m | n1.asExpr() = ma.getQualifier() and n2.asExpr() = ma |
+    ma.getMethod() = m and
+    m.getDeclaringType().getAnAncestor() instanceof TypeUnboundIdReadOnlySearchRequest and
+    m.hasName("duplicate")
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between DN or filter and UnboundID
+ * `SearchRequest`, i.e. `searchRequest.setBaseDN(tainted)` or `searchRequest.setFilter(tainted)`.
+ */
+predicate unboundIdSearchRequestSetStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getAnArgument() and
+    n2.asExpr() = ma.getQualifier() and
+    ma.getMethod() = m
+  |
+    m instanceof MethodUnboundIdSearchRequestSetBaseDN or
+    m instanceof MethodUnboundIdSearchRequestSetFilter
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Spring `LdapQuery`,
+ * i.e. `LdapQueryBuilder.query().filter(tainted)` or `LdapQueryBuilder.query().base(tainted)`.
+ */
+predicate ldapQueryStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m, int index |
+    n1.asExpr() = ma.getArgument(index) and
+    n2.asExpr() = ma and
+    ma.getMethod() = m and
+    index = 0
+  |
+    m instanceof MethodSpringLdapQueryBuilderFilter or
+    m instanceof MethodSpringLdapQueryBuilderBase
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between Spring `LdapQueryBuilder` and
+ * `Name`, i.e. `taintedLdapQueryBuilder.base()`.
+ */
+predicate ldapQueryBaseStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getQualifier() and
+    n2.asExpr() = ma and
+    ma.getMethod() = m
+  |
+    m instanceof MethodSpringLdapQueryBuilderBase and
+    m.getNumberOfParameters() = 0
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between Spring `LdapQueryBuilder`,
+ * `ConditionCriteria` or `ContainerCriteria`, i.e. when the query is built, for example
+ * `query().base(tainted).where("objectclass").is("person")`.
+ */
+predicate ldapQueryBuilderStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getQualifier() and
+    n2.asExpr() = ma and
+    ma.getMethod() = m
+  |
+    (
+      m.getDeclaringType() instanceof TypeSpringLdapQueryBuilder or
+      m.getDeclaringType() instanceof TypeSpringConditionCriteria or
+      m.getDeclaringType() instanceof TypeSpringContainerCriteria
+    ) and
+    (
+      m.getReturnType() instanceof TypeSpringLdapQueryBuilder or
+      m.getReturnType() instanceof TypeSpringConditionCriteria or
+      m.getReturnType() instanceof TypeSpringContainerCriteria
+    )
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Spring
+ * `HardcodedFilter`, i.e. `new HardcodedFilter(tainted)`.
+ */
+predicate hardcodedFilterStep(ExprNode n1, ExprNode n2) {
+  exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeSpringHardcodedFilter |
+    n1.asExpr() = cc.getAnArgument() and
+    n2.asExpr() = cc
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between Spring `Filter` and
+ * `String`, i.e. `taintedFilter.toString()`, `taintedFilter.encode()` or
+ * `taintedFilter.encode(buffer)`.
+ */
+predicate springLdapFilterToStringStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getQualifier() and
+    (n2.asExpr() = ma or n2.asExpr() = ma.getAnArgument()) and
+    ma.getMethod() = m
+  |
+    m.getDeclaringType().getAnAncestor() instanceof TypeSpringLdapFilter and
+    (m.hasName("encode") or m.hasName("toString"))
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Spring
+ * `LdapNameBuilder`, i.e. `LdapNameBuilder.newInstance(tainted)` or
+ * `LdapNameBuilder.newInstance().add(tainted)`.
+ */
+predicate ldapNameBuilderStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getAnArgument() and
+    (n2.asExpr() = ma or n2.asExpr() = ma.getQualifier()) and
+    ma.getMethod() = m and
+    m.getNumberOfParameters() = 1
+  |
+    m instanceof MethodSpringLdapNameBuilderNewInstance or
+    m instanceof MethodSpringLdapNameBuilderAdd
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between tainted Spring `LdapNameBuilder`
+ * and `LdapName`, `LdapNameBuilder.build()`.
+ */
+predicate ldapNameBuilderBuildStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma | n1.asExpr() = ma.getQualifier() and n2.asExpr() = ma |
+    ma.getMethod() instanceof MethodSpringLdapNameBuilderBuild
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and `LdapName` via
+ * Spring `LdapUtils.newLdapName`, i.e. `LdapUtils.newLdapName(tainted)`.
+ */
+predicate ldapUtilsStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma | n1.asExpr() = ma.getAnArgument() and n2.asExpr() = ma |
+    ma.getMethod() instanceof MethodSpringLdapUtilsNewLdapName
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Apache LDAP API
+ * `SearchRequest`, i.e. `searchRequest.setFilter(tainted)` or `searchRequest.setBase(tainted)`.
+ */
+predicate apacheSearchRequestStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m |
+    n1.asExpr() = ma.getAnArgument() and
+    n2.asExpr() = ma.getQualifier()
+  |
+    ma.getMethod() = m and
+    m.getDeclaringType().getAnAncestor() instanceof TypeApacheSearchRequest and
+    (m.hasName("setFilter") or m.hasName("setBase"))
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between Apache LDAP API `SearchRequest`
+ * and filter or DN i.e. `tainterSearchRequest.getFilter()` or `taintedSearchRequest.getBase()`.
+ */
+predicate apacheSearchRequestGetStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m | n1.asExpr() = ma.getQualifier() and n2.asExpr() = ma |
+    ma.getMethod() = m and
+    m.getDeclaringType().getAnAncestor() instanceof TypeApacheSearchRequest and
+    (m.hasName("getFilter") or m.hasName("getBase"))
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between `String` and Apache LDAP API
+ * `Dn`, i.e. `new Dn(tainted)`.
+ */
+predicate apacheLdapDnStep(ExprNode n1, ExprNode n2) {
+  exists(ConstructorCall cc | cc.getConstructedType() instanceof TypeApacheDn |
+    n1.asExpr() = cc.getAnArgument() and
+    n2.asExpr() = cc
+  )
+}
+
+/**
+ * Holds if `n1` to `n2` is a dataflow step that converts between Apache LDAP API `Dn`
+ * and `String` i.e. `taintedDn.getName()`, `taintedDn.getNormName()` or `taintedDn.toString()`.
+ */
+predicate apacheLdapDnGetStep(ExprNode n1, ExprNode n2) {
+  exists(MethodAccess ma, Method m | n1.asExpr() = ma.getQualifier() and n2.asExpr() = ma |
+    ma.getMethod() = m and
+    m.getDeclaringType().getAnAncestor() instanceof TypeApacheDn and
+    (m.hasName("getName") or m.hasName("getNormName") or m.hasName("toString"))
+  )
+}

java/ql/src/Security/CWE/CWE-090/LdapInjectionSpring.java

@@ -0,0 +1,17 @@
+import static org.springframework.ldap.query.LdapQueryBuilder.query;
+import org.springframework.ldap.support.LdapNameBuilder;
+
+public void ldapQueryGood(@RequestParam String organizationName, @RequestParam String username) {
+  // GOOD: Organization name is encoded before being used in DN
+  String safeDn = LdapNameBuilder.newInstance()
+    .add("O", organizationName)
+    .add("OU=People")
+    .build().toString();
+
+  // GOOD: User input is encoded before being used in search filter
+  LdapQuery query = query()
+    .base(safeDn)
+    .where("username").is(username);
+
+  ldapTemplate.search(query, new AttributeCheckAttributesMapper());
+}

java/ql/src/Security/CWE/CWE-090/LdapInjectionUnboundId.java

@@ -0,0 +1,17 @@
+import com.unboundid.ldap.sdk.LDAPConnection;
+import com.unboundid.ldap.sdk.DN;
+import com.unboundid.ldap.sdk.RDN;
+import com.unboundid.ldap.sdk.Filter;
+
+public void ldapQueryGood(HttpServletRequest request, LDAPConnection c) {
+  String organizationName = request.getParameter("organization_name");
+  String username = request.getParameter("username");
+
+  // GOOD: Organization name is encoded before being used in DN
+  DN safeDn = new DN(new RDN("OU", "People"), new RDN("O", organizationName));
+
+  // GOOD: User input is encoded before being used in search filter
+  Filter safeFilter = Filter.createEqualityFilter("username", username);
+  
+  c.search(safeDn.toString(), SearchScope.ONE, safeFilter);
+}

java/ql/src/semmle/code/java/frameworks/ApacheLdap.qll

@@ -0,0 +1,27 @@
+/**
+ * Provides classes and predicates for working with the Apache LDAP API.
+ */
+
+import java
+import semmle.code.java.Type
+import semmle.code.java.Member
+
+/*--- Types ---*/
+/** The interface `org.apache.directory.ldap.client.api.LdapConnection`. */
+class TypeApacheLdapConnection extends Interface {
+  TypeApacheLdapConnection() {
+    this.hasQualifiedName("org.apache.directory.ldap.client.api", "LdapConnection")
+  }
+}
+
+/** The interface `org.apache.directory.api.ldap.model.message.SearchRequest`. */
+class TypeApacheSearchRequest extends Interface {
+  TypeApacheSearchRequest() {
+    this.hasQualifiedName("org.apache.directory.api.ldap.model.message", "SearchRequest")
+  }
+}
+
+/** The class `org.apache.directory.api.ldap.model.name.Dn`. */
+class TypeApacheDn extends Class {
+  TypeApacheDn() { this.hasQualifiedName("org.apache.directory.api.ldap.model.name", "Dn") }
+}

java/ql/src/semmle/code/java/frameworks/Jndi.qll

@@ -0,0 +1,59 @@
+/**
+ * Provides classes and predicates for working with the Java JDBC API.
+ */
+
+import java
+import semmle.code.java.Type
+import semmle.code.java.Member
+
+/*--- Types ---*/
+/** The interface `javax.naming.directory.DirContext`. */
+class TypeDirContext extends Interface {
+  TypeDirContext() { this.hasQualifiedName("javax.naming.directory", "DirContext") }
+}
+
+/** The class `javax.naming.ldap.LdapName`. */
+class TypeLdapName extends Class {
+  TypeLdapName() { this.hasQualifiedName("javax.naming.ldap", "LdapName") }
+}
+
+/*--- Methods ---*/
+/** A method with the name `addAll` declared in `javax.naming.ldap.LdapName`. */
+class MethodLdapNameAddAll extends Method {
+  MethodLdapNameAddAll() {
+    getDeclaringType() instanceof TypeLdapName and
+    hasName("addAll")
+  }
+}
+
+/** A method with the name `clone` declared in `javax.naming.ldap.LdapName`. */
+class MethodLdapNameClone extends Method {
+  MethodLdapNameClone() {
+    getDeclaringType() instanceof TypeLdapName and
+    hasName("clone")
+  }
+}
+
+/** A method with the name `getAll` declared in `javax.naming.ldap.LdapName`. */
+class MethodLdapNameGetAll extends Method {
+  MethodLdapNameGetAll() {
+    getDeclaringType() instanceof TypeLdapName and
+    hasName("getAll")
+  }
+}
+
+/** A method with the name `getRdns` declared in `javax.naming.ldap.LdapName`. */
+class MethodLdapNameGetRdns extends Method {
+  MethodLdapNameGetRdns() {
+    getDeclaringType() instanceof TypeLdapName and
+    hasName("getRdns")
+  }
+}
+
+/** A method with the name `toString` declared in `javax.naming.ldap.LdapName`. */
+class MethodLdapNameToString extends Method {
+  MethodLdapNameToString() {
+    getDeclaringType() instanceof TypeLdapName and
+    hasName("toString")
+  }
+}

java/ql/src/semmle/code/java/frameworks/SpringLdap.qll

@@ -0,0 +1,193 @@
+/**
+ * Provides classes and predicates for working with the Spring LDAP API.
+ */
+
+import java
+import semmle.code.java.Type
+import semmle.code.java.Member
+
+/*--- Types ---*/
+/** The class `org.springframework.ldap.core.LdapTemplate`. */
+class TypeSpringLdapTemplate extends Class {
+  TypeSpringLdapTemplate() {
+    this.hasQualifiedName("org.springframework.ldap.core", "LdapTemplate")
+  }
+}
+
+/** The class `org.springframework.ldap.query.LdapQueryBuilder`. */
+class TypeSpringLdapQueryBuilder extends Class {
+  TypeSpringLdapQueryBuilder() {
+    this.hasQualifiedName("org.springframework.ldap.query", "LdapQueryBuilder")
+  }
+}
+
+/** The interface `org.springframework.ldap.query.ConditionCriteria`. */
+class TypeSpringConditionCriteria extends Interface {
+  TypeSpringConditionCriteria() {
+    this.hasQualifiedName("org.springframework.ldap.query", "ConditionCriteria")
+  }
+}
+
+/** The interface `org.springframework.ldap.query.ContainerCriteria`. */
+class TypeSpringContainerCriteria extends Interface {
+  TypeSpringContainerCriteria() {
+    this.hasQualifiedName("org.springframework.ldap.query", "ContainerCriteria")
+  }
+}
+
+/** The class `org.springframework.ldap.filter.HardcodedFilter`. */
+class TypeSpringHardcodedFilter extends Class {
+  TypeSpringHardcodedFilter() {
+    this.hasQualifiedName("org.springframework.ldap.filter", "HardcodedFilter")
+  }
+}
+
+/** The interface `org.springframework.ldap.filter.Filter`. */
+class TypeSpringLdapFilter extends Interface {
+  TypeSpringLdapFilter() { this.hasQualifiedName("org.springframework.ldap.filter", "Filter") }
+}
+
+/** The class `org.springframework.ldap.support.LdapNameBuilder`. */
+class TypeSpringLdapNameBuilder extends Class {
+  TypeSpringLdapNameBuilder() {
+    this.hasQualifiedName("org.springframework.ldap.support", "LdapNameBuilder")
+  }
+}
+
+/** The class `org.springframework.ldap.support.LdapUtils`. */
+class TypeSpringLdapUtils extends Class {
+  TypeSpringLdapUtils() { this.hasQualifiedName("org.springframework.ldap.support", "LdapUtils") }
+}
+
+/*--- Methods ---*/
+/**
+ * A method with the name `authenticate` declared in
+ * `org.springframework.ldap.core.LdapTemplate`.
+ */
+class MethodSpringLdapTemplateAuthenticate extends Method {
+  MethodSpringLdapTemplateAuthenticate() {
+    getDeclaringType() instanceof TypeSpringLdapTemplate and
+    hasName("authenticate")
+  }
+}
+
+/**
+ * A method with the name `find` declared in
+ * `org.springframework.ldap.core.LdapTemplate`.
+ */
+class MethodSpringLdapTemplateFind extends Method {
+  MethodSpringLdapTemplateFind() {
+    getDeclaringType() instanceof TypeSpringLdapTemplate and
+    hasName("find")
+  }
+}
+
+/**
+ * A method with the name `findOne` declared in
+ * `org.springframework.ldap.core.LdapTemplate`.
+ */
+class MethodSpringLdapTemplateFindOne extends Method {
+  MethodSpringLdapTemplateFindOne() {
+    getDeclaringType() instanceof TypeSpringLdapTemplate and
+    hasName("findOne")
+  }
+}
+
+/**
+ * A method with the name `search` declared in
+ * `org.springframework.ldap.core.LdapTemplate`.
+ */
+class MethodSpringLdapTemplateSearch extends Method {
+  MethodSpringLdapTemplateSearch() {
+    getDeclaringType() instanceof TypeSpringLdapTemplate and
+    hasName("search")
+  }
+}
+
+/**
+ * A method with the name `searchForContext` declared in
+ * `org.springframework.ldap.core.LdapTemplate`.
+ */
+class MethodSpringLdapTemplateSearchForContext extends Method {
+  MethodSpringLdapTemplateSearchForContext() {
+    getDeclaringType() instanceof TypeSpringLdapTemplate and
+    hasName("searchForContext")
+  }
+}
+
+/**
+ * A method with the name `searchForObject` declared in
+ * `org.springframework.ldap.core.LdapTemplate`.
+ */
+class MethodSpringLdapTemplateSearchForObject extends Method {
+  MethodSpringLdapTemplateSearchForObject() {
+    getDeclaringType() instanceof TypeSpringLdapTemplate and
+    hasName("searchForObject")
+  }
+}
+
+/**
+ * A method with the name `filter` declared in
+ * `org.springframework.ldap.query.LdapQueryBuilder`.
+ */
+class MethodSpringLdapQueryBuilderFilter extends Method {
+  MethodSpringLdapQueryBuilderFilter() {
+    getDeclaringType() instanceof TypeSpringLdapQueryBuilder and
+    hasName("filter")
+  }
+}
+
+/**
+ * A method with the name `base` declared in
+ * `org.springframework.ldap.query.LdapQueryBuilder`.
+ */
+class MethodSpringLdapQueryBuilderBase extends Method {
+  MethodSpringLdapQueryBuilderBase() {
+    getDeclaringType() instanceof TypeSpringLdapQueryBuilder and
+    hasName("base")
+  }
+}
+
+/**
+ * A method with the name `newInstance` declared in
+ * `org.springframework.ldap.support.LdapNameBuilder`.
+ */
+class MethodSpringLdapNameBuilderNewInstance extends Method {
+  MethodSpringLdapNameBuilderNewInstance() {
+    getDeclaringType() instanceof TypeSpringLdapNameBuilder and
+    hasName("newInstance")
+  }
+}
+
+/**
+ * A method with the name `add` declared in
+ * `org.springframework.ldap.support.LdapNameBuilder`.
+ */
+class MethodSpringLdapNameBuilderAdd extends Method {
+  MethodSpringLdapNameBuilderAdd() {
+    getDeclaringType() instanceof TypeSpringLdapNameBuilder and
+    hasName("add")
+  }
+}
+
+/**
+ * A method with the name `build` declared in
+ * `org.springframework.ldap.support.LdapNameBuilder`.
+ */
+class MethodSpringLdapNameBuilderBuild extends Method {
+  MethodSpringLdapNameBuilderBuild() {
+    getDeclaringType() instanceof TypeSpringLdapNameBuilder and
+    hasName("build")
+  }
+}
+
+/**
+ * A method with the name `newLdapName` declared in
+ * `org.springframework.ldap.support.LdapUtils`.
+ */
+class MethodSpringLdapUtilsNewLdapName extends Method {
+  MethodSpringLdapUtilsNewLdapName() {
+    getDeclaringType() instanceof TypeSpringLdapUtils and
+    hasName("newLdapName")
+  }
+}

java/ql/src/semmle/code/java/frameworks/UnboundId.qll

@@ -0,0 +1,113 @@
+/**
+ * Provides classes and predicates for working with the UnboundID API.
+ */
+
+import java
+import semmle.code.java.Type
+import semmle.code.java.Member
+
+/*--- Types ---*/
+/** The interface `com.unboundid.ldap.sdk.ReadOnlySearchRequest`. */
+class TypeUnboundIdReadOnlySearchRequest extends Interface {
+  TypeUnboundIdReadOnlySearchRequest() {
+    this.hasQualifiedName("com.unboundid.ldap.sdk", "ReadOnlySearchRequest")
+  }
+}
+
+/** The class `com.unboundid.ldap.sdk.SearchRequest`. */
+class TypeUnboundIdSearchRequest extends Class {
+  TypeUnboundIdSearchRequest() { this.hasQualifiedName("com.unboundid.ldap.sdk", "SearchRequest") }
+}
+
+/** The class `com.unboundid.ldap.sdk.Filter`. */
+class TypeUnboundIdLdapFilter extends Class {
+  TypeUnboundIdLdapFilter() { this.hasQualifiedName("com.unboundid.ldap.sdk", "Filter") }
+}
+
+/** The class `com.unboundid.ldap.sdk.LDAPConnection`. */
+class TypeUnboundIdLDAPConnection extends Class {
+  TypeUnboundIdLDAPConnection() {
+    this.hasQualifiedName("com.unboundid.ldap.sdk", "LDAPConnection")
+  }
+}
+
+/*--- Methods ---*/
+/** A method with the name `setBaseDN` declared in `com.unboundid.ldap.sdk.SearchRequest`. */
+class MethodUnboundIdSearchRequestSetBaseDN extends Method {
+  MethodUnboundIdSearchRequestSetBaseDN() {
+    getDeclaringType() instanceof TypeUnboundIdSearchRequest and
+    hasName("setBaseDN")
+  }
+}
+
+/** A method with the name `setFilter` declared in `com.unboundid.ldap.sdk.SearchRequest`. */
+class MethodUnboundIdSearchRequestSetFilter extends Method {
+  MethodUnboundIdSearchRequestSetFilter() {
+    getDeclaringType() instanceof TypeUnboundIdSearchRequest and
+    hasName("setFilter")
+  }
+}
+
+/** A method with the name `create` declared in `com.unboundid.ldap.sdk.Filter`. */
+class MethodUnboundIdFilterCreate extends Method {
+  MethodUnboundIdFilterCreate() {
+    getDeclaringType() instanceof TypeUnboundIdLdapFilter and
+    hasName("create")
+  }
+}
+
+/** A method with the name `createANDFilter` declared in `com.unboundid.ldap.sdk.Filter`. */
+class MethodUnboundIdFilterCreateANDFilter extends Method {
+  MethodUnboundIdFilterCreateANDFilter() {
+    getDeclaringType() instanceof TypeUnboundIdLdapFilter and
+    hasName("createANDFilter")
+  }
+}
+
+/** A method with the name `createORFilter` declared in `com.unboundid.ldap.sdk.Filter`. */
+class MethodUnboundIdFilterCreateORFilter extends Method {
+  MethodUnboundIdFilterCreateORFilter() {
+    getDeclaringType() instanceof TypeUnboundIdLdapFilter and
+    hasName("createORFilter")
+  }
+}
+
+/** A method with the name `createNOTFilter` declared in `com.unboundid.ldap.sdk.Filter`. */
+class MethodUnboundIdFilterCreateNOTFilter extends Method {
+  MethodUnboundIdFilterCreateNOTFilter() {
+    getDeclaringType() instanceof TypeUnboundIdLdapFilter and
+    hasName("createNOTFilter")
+  }
+}
+
+/** A method with the name `simplifyFilter` declared in `com.unboundid.ldap.sdk.Filter`. */
+class MethodUnboundIdFilterSimplifyFilter extends Method {
+  MethodUnboundIdFilterSimplifyFilter() {
+    getDeclaringType() instanceof TypeUnboundIdLdapFilter and
+    hasName("simplifyFilter")
+  }
+}
+
+/** A method with the name `search` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
+class MethodUnboundIdLDAPConnectionSearch extends Method {
+  MethodUnboundIdLDAPConnectionSearch() {
+    getDeclaringType() instanceof TypeUnboundIdLDAPConnection and
+    hasName("search")
+  }
+}
+
+/** A method with the name `asyncSearch` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
+class MethodUnboundIdLDAPConnectionAsyncSearch extends Method {
+  MethodUnboundIdLDAPConnectionAsyncSearch() {
+    getDeclaringType() instanceof TypeUnboundIdLDAPConnection and
+    hasName("asyncSearch")
+  }
+}
+
+/** A method with the name `searchForEntry` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
+class MethodUnboundIdLDAPConnectionSearchForEntry extends Method {
+  MethodUnboundIdLDAPConnectionSearchForEntry() {
+    getDeclaringType() instanceof TypeUnboundIdLDAPConnection and
+    hasName("searchForEntry")
+  }
+}

java/ql/test/query-tests/security/CWE-090/LdapInjection.expected

@@ -0,0 +1,231 @@
+edges
+| LdapInjection.java:41:28:41:52 | jBad : String | LdapInjection.java:43:38:43:57 | ... + ... |
+| LdapInjection.java:41:55:41:81 | jBadDN : String | LdapInjection.java:43:16:43:35 | ... + ... |
+| LdapInjection.java:46:28:46:52 | jBad : String | LdapInjection.java:48:56:48:75 | ... + ... |
+| LdapInjection.java:46:55:46:85 | jBadDNName : String | LdapInjection.java:48:16:48:53 | new LdapName(...) |
+| LdapInjection.java:51:28:51:52 | jBad : String | LdapInjection.java:53:63:53:82 | ... + ... |
+| LdapInjection.java:56:28:56:59 | jBadInitial : String | LdapInjection.java:58:29:58:55 | ... + ... |
+| LdapInjection.java:61:28:61:52 | jBad : String | LdapInjection.java:63:84:63:103 | ... + ... |
+| LdapInjection.java:61:55:61:88 | jBadDNNameAdd : String | LdapInjection.java:63:16:63:81 | addAll(...) |
+| LdapInjection.java:66:28:66:52 | jBad : String | LdapInjection.java:70:47:70:66 | ... + ... |
+| LdapInjection.java:66:55:66:89 | jBadDNNameAdd2 : String | LdapInjection.java:70:16:70:44 | addAll(...) |
+| LdapInjection.java:73:28:73:52 | jBad : String | LdapInjection.java:75:75:75:94 | ... + ... |
+| LdapInjection.java:73:55:73:93 | jBadDNNameToString : String | LdapInjection.java:75:16:75:72 | toString(...) |
+| LdapInjection.java:78:28:78:52 | jBad : String | LdapInjection.java:80:76:80:95 | ... + ... |
+| LdapInjection.java:78:55:78:90 | jBadDNNameClone : String | LdapInjection.java:80:16:80:73 | (...)... |
+| LdapInjection.java:92:31:92:55 | uBad : String | LdapInjection.java:94:67:94:86 | ... + ... |
+| LdapInjection.java:92:58:92:84 | uBadDN : String | LdapInjection.java:94:20:94:39 | ... + ... |
+| LdapInjection.java:97:31:97:67 | uBadFilterCreate : String | LdapInjection.java:98:58:98:88 | create(...) |
+| LdapInjection.java:101:31:101:70 | uBadROSearchRequest : String | LdapInjection.java:105:14:105:14 | s |
+| LdapInjection.java:101:73:101:103 | uBadROSRDN : String | LdapInjection.java:105:14:105:14 | s |
+| LdapInjection.java:108:31:108:68 | uBadSearchRequest : String | LdapInjection.java:112:14:112:14 | s |
+| LdapInjection.java:108:71:108:99 | uBadSRDN : String | LdapInjection.java:112:14:112:14 | s |
+| LdapInjection.java:115:31:115:55 | uBad : String | LdapInjection.java:117:69:117:88 | ... + ... |
+| LdapInjection.java:115:58:115:87 | uBadDNSFR : String | LdapInjection.java:117:22:117:44 | ... + ... |
+| LdapInjection.java:120:31:120:75 | uBadROSearchRequestAsync : String | LdapInjection.java:124:19:124:19 | s |
+| LdapInjection.java:120:78:120:113 | uBadROSRDNAsync : String | LdapInjection.java:124:19:124:19 | s |
+| LdapInjection.java:127:31:127:73 | uBadSearchRequestAsync : String | LdapInjection.java:131:19:131:19 | s |
+| LdapInjection.java:127:76:127:109 | uBadSRDNAsync : String | LdapInjection.java:131:19:131:19 | s |
+| LdapInjection.java:134:31:134:70 | uBadFilterCreateNOT : String | LdapInjection.java:135:58:135:115 | createNOTFilter(...) |
+| LdapInjection.java:138:31:138:75 | uBadFilterCreateToString : String | LdapInjection.java:139:58:139:107 | toString(...) |
+| LdapInjection.java:142:32:142:82 | uBadFilterCreateToStringBuffer : String | LdapInjection.java:145:58:145:69 | toString(...) |
+| LdapInjection.java:148:32:148:78 | uBadSearchRequestDuplicate : String | LdapInjection.java:152:14:152:26 | duplicate(...) |
+| LdapInjection.java:155:32:155:80 | uBadROSearchRequestDuplicate : String | LdapInjection.java:159:14:159:26 | duplicate(...) |
+| LdapInjection.java:162:32:162:74 | uBadSearchRequestSetDN : String | LdapInjection.java:166:14:166:14 | s |
+| LdapInjection.java:169:32:169:78 | uBadSearchRequestSetFilter : String | LdapInjection.java:173:14:173:14 | s |
+| LdapInjection.java:197:30:197:54 | sBad : String | LdapInjection.java:198:36:198:55 | ... + ... |
+| LdapInjection.java:197:57:197:83 | sBadDN : String | LdapInjection.java:198:14:198:33 | ... + ... |
+| LdapInjection.java:201:30:201:54 | sBad : String | LdapInjection.java:202:88:202:107 | ... + ... |
+| LdapInjection.java:201:57:201:92 | sBadDNLNBuilder : String | LdapInjection.java:202:20:202:85 | build(...) |
+| LdapInjection.java:205:30:205:54 | sBad : String | LdapInjection.java:206:100:206:119 | ... + ... |
+| LdapInjection.java:205:57:205:95 | sBadDNLNBuilderAdd : String | LdapInjection.java:206:23:206:97 | build(...) |
+| LdapInjection.java:209:30:209:63 | sBadLdapQuery : String | LdapInjection.java:210:15:210:76 | filter(...) |
+| LdapInjection.java:213:30:213:60 | sBadFilter : String | LdapInjection.java:214:66:214:112 | new HardcodedFilter(...) |
+| LdapInjection.java:213:63:213:98 | sBadDNLdapUtils : String | LdapInjection.java:214:12:214:63 | newLdapName(...) |
+| LdapInjection.java:217:30:217:63 | sBadLdapQuery : String | LdapInjection.java:218:24:218:85 | filter(...) |
+| LdapInjection.java:221:30:221:64 | sBadLdapQuery2 : String | LdapInjection.java:223:24:223:24 | q |
+| LdapInjection.java:226:30:226:73 | sBadLdapQueryWithFilter : String | LdapInjection.java:227:24:227:116 | filter(...) |
+| LdapInjection.java:230:30:230:74 | sBadLdapQueryWithFilter2 : String | LdapInjection.java:232:24:232:57 | filter(...) |
+| LdapInjection.java:235:31:235:68 | sBadLdapQueryBase : String | LdapInjection.java:236:12:236:66 | base(...) |
+| LdapInjection.java:239:31:239:71 | sBadLdapQueryComplex : String | LdapInjection.java:240:24:240:98 | is(...) |
+| LdapInjection.java:243:31:243:69 | sBadFilterToString : String | LdapInjection.java:244:18:244:83 | toString(...) |
+| LdapInjection.java:247:31:247:67 | sBadFilterEncode : String | LdapInjection.java:250:18:250:29 | toString(...) |
+| LdapInjection.java:266:30:266:54 | aBad : String | LdapInjection.java:268:36:268:55 | ... + ... |
+| LdapInjection.java:266:57:266:83 | aBadDN : String | LdapInjection.java:268:14:268:33 | ... + ... |
+| LdapInjection.java:271:30:271:54 | aBad : String | LdapInjection.java:273:65:273:84 | ... + ... |
+| LdapInjection.java:271:57:271:94 | aBadDNObjToString : String | LdapInjection.java:273:14:273:62 | getName(...) |
+| LdapInjection.java:276:30:276:67 | aBadSearchRequest : String | LdapInjection.java:280:14:280:14 | s |
+| LdapInjection.java:283:74:283:103 | aBadDNObj : String | LdapInjection.java:287:14:287:14 | s |
+| LdapInjection.java:290:30:290:72 | aBadDNSearchRequestGet : String | LdapInjection.java:294:14:294:24 | getBase(...) |
+nodes
+| LdapInjection.java:41:28:41:52 | jBad : String | semmle.label | jBad : String |
+| LdapInjection.java:41:55:41:81 | jBadDN : String | semmle.label | jBadDN : String |
+| LdapInjection.java:43:16:43:35 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:43:38:43:57 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:46:28:46:52 | jBad : String | semmle.label | jBad : String |
+| LdapInjection.java:46:55:46:85 | jBadDNName : String | semmle.label | jBadDNName : String |
+| LdapInjection.java:48:16:48:53 | new LdapName(...) | semmle.label | new LdapName(...) |
+| LdapInjection.java:48:56:48:75 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:51:28:51:52 | jBad : String | semmle.label | jBad : String |
+| LdapInjection.java:53:63:53:82 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:56:28:56:59 | jBadInitial : String | semmle.label | jBadInitial : String |
+| LdapInjection.java:58:29:58:55 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:61:28:61:52 | jBad : String | semmle.label | jBad : String |
+| LdapInjection.java:61:55:61:88 | jBadDNNameAdd : String | semmle.label | jBadDNNameAdd : String |
+| LdapInjection.java:63:16:63:81 | addAll(...) | semmle.label | addAll(...) |
+| LdapInjection.java:63:84:63:103 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:66:28:66:52 | jBad : String | semmle.label | jBad : String |
+| LdapInjection.java:66:55:66:89 | jBadDNNameAdd2 : String | semmle.label | jBadDNNameAdd2 : String |
+| LdapInjection.java:70:16:70:44 | addAll(...) | semmle.label | addAll(...) |
+| LdapInjection.java:70:47:70:66 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:73:28:73:52 | jBad : String | semmle.label | jBad : String |
+| LdapInjection.java:73:55:73:93 | jBadDNNameToString : String | semmle.label | jBadDNNameToString : String |
+| LdapInjection.java:75:16:75:72 | toString(...) | semmle.label | toString(...) |
+| LdapInjection.java:75:75:75:94 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:78:28:78:52 | jBad : String | semmle.label | jBad : String |
+| LdapInjection.java:78:55:78:90 | jBadDNNameClone : String | semmle.label | jBadDNNameClone : String |
+| LdapInjection.java:80:16:80:73 | (...)... | semmle.label | (...)... |
+| LdapInjection.java:80:76:80:95 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:92:31:92:55 | uBad : String | semmle.label | uBad : String |
+| LdapInjection.java:92:58:92:84 | uBadDN : String | semmle.label | uBadDN : String |
+| LdapInjection.java:94:20:94:39 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:94:67:94:86 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:97:31:97:67 | uBadFilterCreate : String | semmle.label | uBadFilterCreate : String |
+| LdapInjection.java:98:58:98:88 | create(...) | semmle.label | create(...) |
+| LdapInjection.java:101:31:101:70 | uBadROSearchRequest : String | semmle.label | uBadROSearchRequest : String |
+| LdapInjection.java:101:73:101:103 | uBadROSRDN : String | semmle.label | uBadROSRDN : String |
+| LdapInjection.java:105:14:105:14 | s | semmle.label | s |
+| LdapInjection.java:108:31:108:68 | uBadSearchRequest : String | semmle.label | uBadSearchRequest : String |
+| LdapInjection.java:108:71:108:99 | uBadSRDN : String | semmle.label | uBadSRDN : String |
+| LdapInjection.java:112:14:112:14 | s | semmle.label | s |
+| LdapInjection.java:115:31:115:55 | uBad : String | semmle.label | uBad : String |
+| LdapInjection.java:115:58:115:87 | uBadDNSFR : String | semmle.label | uBadDNSFR : String |
+| LdapInjection.java:117:22:117:44 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:117:69:117:88 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:120:31:120:75 | uBadROSearchRequestAsync : String | semmle.label | uBadROSearchRequestAsync : String |
+| LdapInjection.java:120:78:120:113 | uBadROSRDNAsync : String | semmle.label | uBadROSRDNAsync : String |
+| LdapInjection.java:124:19:124:19 | s | semmle.label | s |
+| LdapInjection.java:127:31:127:73 | uBadSearchRequestAsync : String | semmle.label | uBadSearchRequestAsync : String |
+| LdapInjection.java:127:76:127:109 | uBadSRDNAsync : String | semmle.label | uBadSRDNAsync : String |
+| LdapInjection.java:131:19:131:19 | s | semmle.label | s |
+| LdapInjection.java:134:31:134:70 | uBadFilterCreateNOT : String | semmle.label | uBadFilterCreateNOT : String |
+| LdapInjection.java:135:58:135:115 | createNOTFilter(...) | semmle.label | createNOTFilter(...) |
+| LdapInjection.java:138:31:138:75 | uBadFilterCreateToString : String | semmle.label | uBadFilterCreateToString : String |
+| LdapInjection.java:139:58:139:107 | toString(...) | semmle.label | toString(...) |
+| LdapInjection.java:142:32:142:82 | uBadFilterCreateToStringBuffer : String | semmle.label | uBadFilterCreateToStringBuffer : String |
+| LdapInjection.java:145:58:145:69 | toString(...) | semmle.label | toString(...) |
+| LdapInjection.java:148:32:148:78 | uBadSearchRequestDuplicate : String | semmle.label | uBadSearchRequestDuplicate : String |
+| LdapInjection.java:152:14:152:26 | duplicate(...) | semmle.label | duplicate(...) |
+| LdapInjection.java:155:32:155:80 | uBadROSearchRequestDuplicate : String | semmle.label | uBadROSearchRequestDuplicate : String |
+| LdapInjection.java:159:14:159:26 | duplicate(...) | semmle.label | duplicate(...) |
+| LdapInjection.java:162:32:162:74 | uBadSearchRequestSetDN : String | semmle.label | uBadSearchRequestSetDN : String |
+| LdapInjection.java:166:14:166:14 | s | semmle.label | s |
+| LdapInjection.java:169:32:169:78 | uBadSearchRequestSetFilter : String | semmle.label | uBadSearchRequestSetFilter : String |
+| LdapInjection.java:173:14:173:14 | s | semmle.label | s |
+| LdapInjection.java:197:30:197:54 | sBad : String | semmle.label | sBad : String |
+| LdapInjection.java:197:57:197:83 | sBadDN : String | semmle.label | sBadDN : String |
+| LdapInjection.java:198:14:198:33 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:198:36:198:55 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:201:30:201:54 | sBad : String | semmle.label | sBad : String |
+| LdapInjection.java:201:57:201:92 | sBadDNLNBuilder : String | semmle.label | sBadDNLNBuilder : String |
+| LdapInjection.java:202:20:202:85 | build(...) | semmle.label | build(...) |
+| LdapInjection.java:202:88:202:107 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:205:30:205:54 | sBad : String | semmle.label | sBad : String |
+| LdapInjection.java:205:57:205:95 | sBadDNLNBuilderAdd : String | semmle.label | sBadDNLNBuilderAdd : String |
+| LdapInjection.java:206:23:206:97 | build(...) | semmle.label | build(...) |
+| LdapInjection.java:206:100:206:119 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:209:30:209:63 | sBadLdapQuery : String | semmle.label | sBadLdapQuery : String |
+| LdapInjection.java:210:15:210:76 | filter(...) | semmle.label | filter(...) |
+| LdapInjection.java:213:30:213:60 | sBadFilter : String | semmle.label | sBadFilter : String |
+| LdapInjection.java:213:63:213:98 | sBadDNLdapUtils : String | semmle.label | sBadDNLdapUtils : String |
+| LdapInjection.java:214:12:214:63 | newLdapName(...) | semmle.label | newLdapName(...) |
+| LdapInjection.java:214:66:214:112 | new HardcodedFilter(...) | semmle.label | new HardcodedFilter(...) |
+| LdapInjection.java:217:30:217:63 | sBadLdapQuery : String | semmle.label | sBadLdapQuery : String |
+| LdapInjection.java:218:24:218:85 | filter(...) | semmle.label | filter(...) |
+| LdapInjection.java:221:30:221:64 | sBadLdapQuery2 : String | semmle.label | sBadLdapQuery2 : String |
+| LdapInjection.java:223:24:223:24 | q | semmle.label | q |
+| LdapInjection.java:226:30:226:73 | sBadLdapQueryWithFilter : String | semmle.label | sBadLdapQueryWithFilter : String |
+| LdapInjection.java:227:24:227:116 | filter(...) | semmle.label | filter(...) |
+| LdapInjection.java:230:30:230:74 | sBadLdapQueryWithFilter2 : String | semmle.label | sBadLdapQueryWithFilter2 : String |
+| LdapInjection.java:232:24:232:57 | filter(...) | semmle.label | filter(...) |
+| LdapInjection.java:235:31:235:68 | sBadLdapQueryBase : String | semmle.label | sBadLdapQueryBase : String |
+| LdapInjection.java:236:12:236:66 | base(...) | semmle.label | base(...) |
+| LdapInjection.java:239:31:239:71 | sBadLdapQueryComplex : String | semmle.label | sBadLdapQueryComplex : String |
+| LdapInjection.java:240:24:240:98 | is(...) | semmle.label | is(...) |
+| LdapInjection.java:243:31:243:69 | sBadFilterToString : String | semmle.label | sBadFilterToString : String |
+| LdapInjection.java:244:18:244:83 | toString(...) | semmle.label | toString(...) |
+| LdapInjection.java:247:31:247:67 | sBadFilterEncode : String | semmle.label | sBadFilterEncode : String |
+| LdapInjection.java:250:18:250:29 | toString(...) | semmle.label | toString(...) |
+| LdapInjection.java:266:30:266:54 | aBad : String | semmle.label | aBad : String |
+| LdapInjection.java:266:57:266:83 | aBadDN : String | semmle.label | aBadDN : String |
+| LdapInjection.java:268:14:268:33 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:268:36:268:55 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:271:30:271:54 | aBad : String | semmle.label | aBad : String |
+| LdapInjection.java:271:57:271:94 | aBadDNObjToString : String | semmle.label | aBadDNObjToString : String |
+| LdapInjection.java:273:14:273:62 | getName(...) | semmle.label | getName(...) |
+| LdapInjection.java:273:65:273:84 | ... + ... | semmle.label | ... + ... |
+| LdapInjection.java:276:30:276:67 | aBadSearchRequest : String | semmle.label | aBadSearchRequest : String |
+| LdapInjection.java:280:14:280:14 | s | semmle.label | s |
+| LdapInjection.java:283:74:283:103 | aBadDNObj : String | semmle.label | aBadDNObj : String |
+| LdapInjection.java:287:14:287:14 | s | semmle.label | s |
+| LdapInjection.java:290:30:290:72 | aBadDNSearchRequestGet : String | semmle.label | aBadDNSearchRequestGet : String |
+| LdapInjection.java:294:14:294:24 | getBase(...) | semmle.label | getBase(...) |
+#select
+| LdapInjection.java:43:16:43:35 | ... + ... | LdapInjection.java:41:55:41:81 | jBadDN : String | LdapInjection.java:43:16:43:35 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:41:55:41:81 | jBadDN | this user input |
+| LdapInjection.java:43:38:43:57 | ... + ... | LdapInjection.java:41:28:41:52 | jBad : String | LdapInjection.java:43:38:43:57 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:41:28:41:52 | jBad | this user input |
+| LdapInjection.java:48:16:48:53 | new LdapName(...) | LdapInjection.java:46:55:46:85 | jBadDNName : String | LdapInjection.java:48:16:48:53 | new LdapName(...) | LDAP query might include code from $@. | LdapInjection.java:46:55:46:85 | jBadDNName | this user input |
+| LdapInjection.java:48:56:48:75 | ... + ... | LdapInjection.java:46:28:46:52 | jBad : String | LdapInjection.java:48:56:48:75 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:46:28:46:52 | jBad | this user input |
+| LdapInjection.java:53:63:53:82 | ... + ... | LdapInjection.java:51:28:51:52 | jBad : String | LdapInjection.java:53:63:53:82 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:51:28:51:52 | jBad | this user input |
+| LdapInjection.java:58:29:58:55 | ... + ... | LdapInjection.java:56:28:56:59 | jBadInitial : String | LdapInjection.java:58:29:58:55 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:56:28:56:59 | jBadInitial | this user input |
+| LdapInjection.java:63:16:63:81 | addAll(...) | LdapInjection.java:61:55:61:88 | jBadDNNameAdd : String | LdapInjection.java:63:16:63:81 | addAll(...) | LDAP query might include code from $@. | LdapInjection.java:61:55:61:88 | jBadDNNameAdd | this user input |
+| LdapInjection.java:63:84:63:103 | ... + ... | LdapInjection.java:61:28:61:52 | jBad : String | LdapInjection.java:63:84:63:103 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:61:28:61:52 | jBad | this user input |
+| LdapInjection.java:70:16:70:44 | addAll(...) | LdapInjection.java:66:55:66:89 | jBadDNNameAdd2 : String | LdapInjection.java:70:16:70:44 | addAll(...) | LDAP query might include code from $@. | LdapInjection.java:66:55:66:89 | jBadDNNameAdd2 | this user input |
+| LdapInjection.java:70:47:70:66 | ... + ... | LdapInjection.java:66:28:66:52 | jBad : String | LdapInjection.java:70:47:70:66 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:66:28:66:52 | jBad | this user input |
+| LdapInjection.java:75:16:75:72 | toString(...) | LdapInjection.java:73:55:73:93 | jBadDNNameToString : String | LdapInjection.java:75:16:75:72 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:73:55:73:93 | jBadDNNameToString | this user input |
+| LdapInjection.java:75:75:75:94 | ... + ... | LdapInjection.java:73:28:73:52 | jBad : String | LdapInjection.java:75:75:75:94 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:73:28:73:52 | jBad | this user input |
+| LdapInjection.java:80:16:80:73 | (...)... | LdapInjection.java:78:55:78:90 | jBadDNNameClone : String | LdapInjection.java:80:16:80:73 | (...)... | LDAP query might include code from $@. | LdapInjection.java:78:55:78:90 | jBadDNNameClone | this user input |
+| LdapInjection.java:80:76:80:95 | ... + ... | LdapInjection.java:78:28:78:52 | jBad : String | LdapInjection.java:80:76:80:95 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:78:28:78:52 | jBad | this user input |
+| LdapInjection.java:94:20:94:39 | ... + ... | LdapInjection.java:92:58:92:84 | uBadDN : String | LdapInjection.java:94:20:94:39 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:92:58:92:84 | uBadDN | this user input |
+| LdapInjection.java:94:67:94:86 | ... + ... | LdapInjection.java:92:31:92:55 | uBad : String | LdapInjection.java:94:67:94:86 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:92:31:92:55 | uBad | this user input |
+| LdapInjection.java:98:58:98:88 | create(...) | LdapInjection.java:97:31:97:67 | uBadFilterCreate : String | LdapInjection.java:98:58:98:88 | create(...) | LDAP query might include code from $@. | LdapInjection.java:97:31:97:67 | uBadFilterCreate | this user input |
+| LdapInjection.java:105:14:105:14 | s | LdapInjection.java:101:31:101:70 | uBadROSearchRequest : String | LdapInjection.java:105:14:105:14 | s | LDAP query might include code from $@. | LdapInjection.java:101:31:101:70 | uBadROSearchRequest | this user input |
+| LdapInjection.java:105:14:105:14 | s | LdapInjection.java:101:73:101:103 | uBadROSRDN : String | LdapInjection.java:105:14:105:14 | s | LDAP query might include code from $@. | LdapInjection.java:101:73:101:103 | uBadROSRDN | this user input |
+| LdapInjection.java:112:14:112:14 | s | LdapInjection.java:108:31:108:68 | uBadSearchRequest : String | LdapInjection.java:112:14:112:14 | s | LDAP query might include code from $@. | LdapInjection.java:108:31:108:68 | uBadSearchRequest | this user input |
+| LdapInjection.java:112:14:112:14 | s | LdapInjection.java:108:71:108:99 | uBadSRDN : String | LdapInjection.java:112:14:112:14 | s | LDAP query might include code from $@. | LdapInjection.java:108:71:108:99 | uBadSRDN | this user input |
+| LdapInjection.java:117:22:117:44 | ... + ... | LdapInjection.java:115:58:115:87 | uBadDNSFR : String | LdapInjection.java:117:22:117:44 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:115:58:115:87 | uBadDNSFR | this user input |
+| LdapInjection.java:117:69:117:88 | ... + ... | LdapInjection.java:115:31:115:55 | uBad : String | LdapInjection.java:117:69:117:88 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:115:31:115:55 | uBad | this user input |
+| LdapInjection.java:124:19:124:19 | s | LdapInjection.java:120:31:120:75 | uBadROSearchRequestAsync : String | LdapInjection.java:124:19:124:19 | s | LDAP query might include code from $@. | LdapInjection.java:120:31:120:75 | uBadROSearchRequestAsync | this user input |
+| LdapInjection.java:124:19:124:19 | s | LdapInjection.java:120:78:120:113 | uBadROSRDNAsync : String | LdapInjection.java:124:19:124:19 | s | LDAP query might include code from $@. | LdapInjection.java:120:78:120:113 | uBadROSRDNAsync | this user input |
+| LdapInjection.java:131:19:131:19 | s | LdapInjection.java:127:31:127:73 | uBadSearchRequestAsync : String | LdapInjection.java:131:19:131:19 | s | LDAP query might include code from $@. | LdapInjection.java:127:31:127:73 | uBadSearchRequestAsync | this user input |
+| LdapInjection.java:131:19:131:19 | s | LdapInjection.java:127:76:127:109 | uBadSRDNAsync : String | LdapInjection.java:131:19:131:19 | s | LDAP query might include code from $@. | LdapInjection.java:127:76:127:109 | uBadSRDNAsync | this user input |
+| LdapInjection.java:135:58:135:115 | createNOTFilter(...) | LdapInjection.java:134:31:134:70 | uBadFilterCreateNOT : String | LdapInjection.java:135:58:135:115 | createNOTFilter(...) | LDAP query might include code from $@. | LdapInjection.java:134:31:134:70 | uBadFilterCreateNOT | this user input |
+| LdapInjection.java:139:58:139:107 | toString(...) | LdapInjection.java:138:31:138:75 | uBadFilterCreateToString : String | LdapInjection.java:139:58:139:107 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:138:31:138:75 | uBadFilterCreateToString | this user input |
+| LdapInjection.java:145:58:145:69 | toString(...) | LdapInjection.java:142:32:142:82 | uBadFilterCreateToStringBuffer : String | LdapInjection.java:145:58:145:69 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:142:32:142:82 | uBadFilterCreateToStringBuffer | this user input |
+| LdapInjection.java:152:14:152:26 | duplicate(...) | LdapInjection.java:148:32:148:78 | uBadSearchRequestDuplicate : String | LdapInjection.java:152:14:152:26 | duplicate(...) | LDAP query might include code from $@. | LdapInjection.java:148:32:148:78 | uBadSearchRequestDuplicate | this user input |
+| LdapInjection.java:159:14:159:26 | duplicate(...) | LdapInjection.java:155:32:155:80 | uBadROSearchRequestDuplicate : String | LdapInjection.java:159:14:159:26 | duplicate(...) | LDAP query might include code from $@. | LdapInjection.java:155:32:155:80 | uBadROSearchRequestDuplicate | this user input |
+| LdapInjection.java:166:14:166:14 | s | LdapInjection.java:162:32:162:74 | uBadSearchRequestSetDN : String | LdapInjection.java:166:14:166:14 | s | LDAP query might include code from $@. | LdapInjection.java:162:32:162:74 | uBadSearchRequestSetDN | this user input |
+| LdapInjection.java:173:14:173:14 | s | LdapInjection.java:169:32:169:78 | uBadSearchRequestSetFilter : String | LdapInjection.java:173:14:173:14 | s | LDAP query might include code from $@. | LdapInjection.java:169:32:169:78 | uBadSearchRequestSetFilter | this user input |
+| LdapInjection.java:198:14:198:33 | ... + ... | LdapInjection.java:197:57:197:83 | sBadDN : String | LdapInjection.java:198:14:198:33 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:197:57:197:83 | sBadDN | this user input |
+| LdapInjection.java:198:36:198:55 | ... + ... | LdapInjection.java:197:30:197:54 | sBad : String | LdapInjection.java:198:36:198:55 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:197:30:197:54 | sBad | this user input |
+| LdapInjection.java:202:20:202:85 | build(...) | LdapInjection.java:201:57:201:92 | sBadDNLNBuilder : String | LdapInjection.java:202:20:202:85 | build(...) | LDAP query might include code from $@. | LdapInjection.java:201:57:201:92 | sBadDNLNBuilder | this user input |
+| LdapInjection.java:202:88:202:107 | ... + ... | LdapInjection.java:201:30:201:54 | sBad : String | LdapInjection.java:202:88:202:107 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:201:30:201:54 | sBad | this user input |
+| LdapInjection.java:206:23:206:97 | build(...) | LdapInjection.java:205:57:205:95 | sBadDNLNBuilderAdd : String | LdapInjection.java:206:23:206:97 | build(...) | LDAP query might include code from $@. | LdapInjection.java:205:57:205:95 | sBadDNLNBuilderAdd | this user input |
+| LdapInjection.java:206:100:206:119 | ... + ... | LdapInjection.java:205:30:205:54 | sBad : String | LdapInjection.java:206:100:206:119 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:205:30:205:54 | sBad | this user input |
+| LdapInjection.java:210:15:210:76 | filter(...) | LdapInjection.java:209:30:209:63 | sBadLdapQuery : String | LdapInjection.java:210:15:210:76 | filter(...) | LDAP query might include code from $@. | LdapInjection.java:209:30:209:63 | sBadLdapQuery | this user input |
+| LdapInjection.java:214:12:214:63 | newLdapName(...) | LdapInjection.java:213:63:213:98 | sBadDNLdapUtils : String | LdapInjection.java:214:12:214:63 | newLdapName(...) | LDAP query might include code from $@. | LdapInjection.java:213:63:213:98 | sBadDNLdapUtils | this user input |
+| LdapInjection.java:214:66:214:112 | new HardcodedFilter(...) | LdapInjection.java:213:30:213:60 | sBadFilter : String | LdapInjection.java:214:66:214:112 | new HardcodedFilter(...) | LDAP query might include code from $@. | LdapInjection.java:213:30:213:60 | sBadFilter | this user input |
+| LdapInjection.java:218:24:218:85 | filter(...) | LdapInjection.java:217:30:217:63 | sBadLdapQuery : String | LdapInjection.java:218:24:218:85 | filter(...) | LDAP query might include code from $@. | LdapInjection.java:217:30:217:63 | sBadLdapQuery | this user input |
+| LdapInjection.java:223:24:223:24 | q | LdapInjection.java:221:30:221:64 | sBadLdapQuery2 : String | LdapInjection.java:223:24:223:24 | q | LDAP query might include code from $@. | LdapInjection.java:221:30:221:64 | sBadLdapQuery2 | this user input |
+| LdapInjection.java:227:24:227:116 | filter(...) | LdapInjection.java:226:30:226:73 | sBadLdapQueryWithFilter : String | LdapInjection.java:227:24:227:116 | filter(...) | LDAP query might include code from $@. | LdapInjection.java:226:30:226:73 | sBadLdapQueryWithFilter | this user input |
+| LdapInjection.java:232:24:232:57 | filter(...) | LdapInjection.java:230:30:230:74 | sBadLdapQueryWithFilter2 : String | LdapInjection.java:232:24:232:57 | filter(...) | LDAP query might include code from $@. | LdapInjection.java:230:30:230:74 | sBadLdapQueryWithFilter2 | this user input |
+| LdapInjection.java:236:12:236:66 | base(...) | LdapInjection.java:235:31:235:68 | sBadLdapQueryBase : String | LdapInjection.java:236:12:236:66 | base(...) | LDAP query might include code from $@. | LdapInjection.java:235:31:235:68 | sBadLdapQueryBase | this user input |
+| LdapInjection.java:240:24:240:98 | is(...) | LdapInjection.java:239:31:239:71 | sBadLdapQueryComplex : String | LdapInjection.java:240:24:240:98 | is(...) | LDAP query might include code from $@. | LdapInjection.java:239:31:239:71 | sBadLdapQueryComplex | this user input |
+| LdapInjection.java:244:18:244:83 | toString(...) | LdapInjection.java:243:31:243:69 | sBadFilterToString : String | LdapInjection.java:244:18:244:83 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:243:31:243:69 | sBadFilterToString | this user input |
+| LdapInjection.java:250:18:250:29 | toString(...) | LdapInjection.java:247:31:247:67 | sBadFilterEncode : String | LdapInjection.java:250:18:250:29 | toString(...) | LDAP query might include code from $@. | LdapInjection.java:247:31:247:67 | sBadFilterEncode | this user input |
+| LdapInjection.java:268:14:268:33 | ... + ... | LdapInjection.java:266:57:266:83 | aBadDN : String | LdapInjection.java:268:14:268:33 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:266:57:266:83 | aBadDN | this user input |
+| LdapInjection.java:268:36:268:55 | ... + ... | LdapInjection.java:266:30:266:54 | aBad : String | LdapInjection.java:268:36:268:55 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:266:30:266:54 | aBad | this user input |
+| LdapInjection.java:273:14:273:62 | getName(...) | LdapInjection.java:271:57:271:94 | aBadDNObjToString : String | LdapInjection.java:273:14:273:62 | getName(...) | LDAP query might include code from $@. | LdapInjection.java:271:57:271:94 | aBadDNObjToString | this user input |
+| LdapInjection.java:273:65:273:84 | ... + ... | LdapInjection.java:271:30:271:54 | aBad : String | LdapInjection.java:273:65:273:84 | ... + ... | LDAP query might include code from $@. | LdapInjection.java:271:30:271:54 | aBad | this user input |
+| LdapInjection.java:280:14:280:14 | s | LdapInjection.java:276:30:276:67 | aBadSearchRequest : String | LdapInjection.java:280:14:280:14 | s | LDAP query might include code from $@. | LdapInjection.java:276:30:276:67 | aBadSearchRequest | this user input |
+| LdapInjection.java:287:14:287:14 | s | LdapInjection.java:283:74:283:103 | aBadDNObj : String | LdapInjection.java:287:14:287:14 | s | LDAP query might include code from $@. | LdapInjection.java:283:74:283:103 | aBadDNObj | this user input |
+| LdapInjection.java:294:14:294:24 | getBase(...) | LdapInjection.java:290:30:290:72 | aBadDNSearchRequestGet : String | LdapInjection.java:294:14:294:24 | getBase(...) | LDAP query might include code from $@. | LdapInjection.java:290:30:290:72 | aBadDNSearchRequestGet | this user input |

java/ql/test/query-tests/security/CWE-090/LdapInjection.java

@@ -0,0 +1,326 @@
+import java.util.List;
+
+import javax.naming.Name;
+import javax.naming.NamingException;
+import javax.naming.directory.BasicAttributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import javax.naming.directory.SearchControls;
+import javax.naming.ldap.InitialLdapContext;
+import javax.naming.ldap.LdapContext;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+
+import com.unboundid.ldap.sdk.Filter;
+import com.unboundid.ldap.sdk.LDAPConnection;
+import com.unboundid.ldap.sdk.LDAPException;
+import com.unboundid.ldap.sdk.LDAPSearchException;
+import com.unboundid.ldap.sdk.ReadOnlySearchRequest;
+import com.unboundid.ldap.sdk.SearchRequest;
+
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.filter.EqualityNode;
+import org.apache.directory.api.ldap.model.message.SearchRequestImpl;
+import org.apache.directory.api.ldap.model.name.Dn;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.LdapNetworkConnection;
+import org.owasp.esapi.Encoder;
+import org.owasp.esapi.reference.DefaultEncoder;
+import org.springframework.ldap.core.LdapTemplate;
+import org.springframework.ldap.filter.EqualsFilter;
+import org.springframework.ldap.filter.HardcodedFilter;
+import org.springframework.ldap.query.LdapQuery;
+import org.springframework.ldap.query.LdapQueryBuilder;
+import org.springframework.ldap.support.LdapEncoder;
+import org.springframework.ldap.support.LdapNameBuilder;
+import org.springframework.ldap.support.LdapUtils;
+import org.springframework.web.bind.annotation.RequestParam;
+
+public class LdapInjection {
+  // JNDI
+  public void testJndiBad1(@RequestParam String jBad, @RequestParam String jBadDN, DirContext ctx)
+      throws NamingException {
+    ctx.search("ou=system" + jBadDN, "(uid=" + jBad + ")", new SearchControls());
+  }
+
+  public void testJndiBad2(@RequestParam String jBad, @RequestParam String jBadDNName, InitialDirContext ctx)
+      throws NamingException {
+    ctx.search(new LdapName("ou=system" + jBadDNName), "(uid=" + jBad + ")", new SearchControls());
+  }
+
+  public void testJndiBad3(@RequestParam String jBad, @RequestParam String jOkDN, LdapContext ctx)
+      throws NamingException {
+    ctx.search(new LdapName(List.of(new Rdn("ou=" + jOkDN))), "(uid=" + jBad + ")", new SearchControls());
+  }
+
+  public void testJndiBad4(@RequestParam String jBadInitial, InitialLdapContext ctx)
+      throws NamingException {
+    ctx.search("ou=system", "(uid=" + jBadInitial + ")", new SearchControls());
+  }
+
+  public void testJndiBad5(@RequestParam String jBad, @RequestParam String jBadDNNameAdd, InitialDirContext ctx)
+      throws NamingException {
+    ctx.search(new LdapName("").addAll(new LdapName("ou=system" + jBadDNNameAdd)), "(uid=" + jBad + ")", new SearchControls());
+  }
+
+  public void testJndiBad6(@RequestParam String jBad, @RequestParam String jBadDNNameAdd2, InitialDirContext ctx)
+      throws NamingException {
+    LdapName name = new LdapName("");
+    name.addAll(new LdapName("ou=system" + jBadDNNameAdd2).getRdns());
+    ctx.search(new LdapName("").addAll(name), "(uid=" + jBad + ")", new SearchControls());
+  }
+
+  public void testJndiBad7(@RequestParam String jBad, @RequestParam String jBadDNNameToString, InitialDirContext ctx)
+      throws NamingException {
+    ctx.search(new LdapName("ou=system" + jBadDNNameToString).toString(), "(uid=" + jBad + ")", new SearchControls());
+  }
+
+  public void testJndiBad8(@RequestParam String jBad, @RequestParam String jBadDNNameClone, InitialDirContext ctx)
+      throws NamingException {
+    ctx.search((Name) new LdapName("ou=system" + jBadDNNameClone).clone(), "(uid=" + jBad + ")", new SearchControls());
+  }
+
+  public void testJndiOk1(@RequestParam String jOkFilterExpr, DirContext ctx) throws NamingException {
+    ctx.search("ou=system", "(uid={0})", new String[] { jOkFilterExpr }, new SearchControls());
+  }
+
+  public void testJndiOk2(@RequestParam String jOkAttribute, DirContext ctx) throws NamingException {
+    ctx.search("ou=system", new BasicAttributes(jOkAttribute, jOkAttribute));
+  }
+
+  // UnboundID
+  public void testUnboundBad1(@RequestParam String uBad, @RequestParam String uBadDN, LDAPConnection c)
+      throws LDAPSearchException {
+    c.search(null, "ou=system" + uBadDN, null, null, 1, 1, false, "(uid=" + uBad + ")");
+  }
+
+  public void testUnboundBad2(@RequestParam String uBadFilterCreate, LDAPConnection c) throws LDAPException {
+    c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreate));
+  }
+
+  public void testUnboundBad3(@RequestParam String uBadROSearchRequest, @RequestParam String uBadROSRDN,
+      LDAPConnection c) throws LDAPException {
+    ReadOnlySearchRequest s = new SearchRequest(null, "ou=system" + uBadROSRDN, null, null, 1, 1, false,
+        "(uid=" + uBadROSearchRequest + ")");
+    c.search(s);
+  }
+
+  public void testUnboundBad4(@RequestParam String uBadSearchRequest, @RequestParam String uBadSRDN, LDAPConnection c)
+      throws LDAPException {
+    SearchRequest s = new SearchRequest(null, "ou=system" + uBadSRDN, null, null, 1, 1, false,
+        "(uid=" + uBadSearchRequest + ")");
+    c.search(s);
+  }
+
+  public void testUnboundBad5(@RequestParam String uBad, @RequestParam String uBadDNSFR, LDAPConnection c)
+      throws LDAPSearchException {
+    c.searchForEntry("ou=system" + uBadDNSFR, null, null, 1, false, "(uid=" + uBad + ")");
+  }
+
+  public void testUnboundBad6(@RequestParam String uBadROSearchRequestAsync, @RequestParam String uBadROSRDNAsync,
+      LDAPConnection c) throws LDAPException {
+    ReadOnlySearchRequest s = new SearchRequest(null, "ou=system" + uBadROSRDNAsync, null, null, 1, 1, false,
+        "(uid=" + uBadROSearchRequestAsync + ")");
+    c.asyncSearch(s);
+  }
+
+  public void testUnboundBad7(@RequestParam String uBadSearchRequestAsync, @RequestParam String uBadSRDNAsync, LDAPConnection c)
+      throws LDAPException {
+    SearchRequest s = new SearchRequest(null, "ou=system" + uBadSRDNAsync, null, null, 1, 1, false,
+        "(uid=" + uBadSearchRequestAsync + ")");
+    c.asyncSearch(s);
+  }
+
+  public void testUnboundBad8(@RequestParam String uBadFilterCreateNOT, LDAPConnection c) throws LDAPException {
+    c.search(null, "ou=system", null, null, 1, 1, false, Filter.createNOTFilter(Filter.create(uBadFilterCreateNOT)));
+  }
+
+  public void testUnboundBad9(@RequestParam String uBadFilterCreateToString, LDAPConnection c) throws LDAPException {
+    c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreateToString).toString());
+  }
+
+  public void testUnboundBad10(@RequestParam String uBadFilterCreateToStringBuffer, LDAPConnection c) throws LDAPException {
+    StringBuilder b = new StringBuilder();
+    Filter.create(uBadFilterCreateToStringBuffer).toNormalizedString(b);
+    c.search(null, "ou=system", null, null, 1, 1, false, b.toString());
+  }
+  
+  public void testUnboundBad11(@RequestParam String uBadSearchRequestDuplicate, LDAPConnection c)
+      throws LDAPException {
+    SearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false,
+        "(uid=" + uBadSearchRequestDuplicate + ")");
+    c.search(s.duplicate());
+  }
+
+  public void testUnboundBad12(@RequestParam String uBadROSearchRequestDuplicate, LDAPConnection c)
+      throws LDAPException {
+    ReadOnlySearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false,
+        "(uid=" + uBadROSearchRequestDuplicate + ")");
+    c.search(s.duplicate());
+  }
+
+  public void testUnboundBad13(@RequestParam String uBadSearchRequestSetDN, LDAPConnection c)
+      throws LDAPException {
+    SearchRequest s = new SearchRequest(null, "", null, null, 1, 1, false, "");
+    s.setBaseDN(uBadSearchRequestSetDN);
+    c.search(s);
+  }
+
+  public void testUnboundBad14(@RequestParam String uBadSearchRequestSetFilter, LDAPConnection c)
+      throws LDAPException {
+    SearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false, "");
+    s.setFilter(uBadSearchRequestSetFilter);
+    c.search(s);
+  }
+
+  public void testUnboundOk1(@RequestParam String uOkEqualityFilter, LDAPConnection c) throws LDAPSearchException {
+    c.search(null, "ou=system", null, null, 1, 1, false, Filter.createEqualityFilter("uid", uOkEqualityFilter));
+  }
+
+  public void testUnboundOk2(@RequestParam String uOkVaragsAttr, LDAPConnection c) throws LDAPSearchException {
+    c.search("ou=system", null, null, 1, 1, false, "(uid=fixed)", "a" + uOkVaragsAttr);
+  }
+
+  public void testUnboundOk3(@RequestParam String uOkFilterSearchRequest, LDAPConnection c) throws LDAPException {
+    SearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false,
+        Filter.createEqualityFilter("uid", uOkFilterSearchRequest));
+    c.search(s);
+  }
+
+  public void testUnboundOk4(@RequestParam String uOkSearchRequestVarargs, LDAPConnection c) throws LDAPException {
+    SearchRequest s = new SearchRequest("ou=system", null, "(uid=fixed)", "va1", "va2", "va3",
+        "a" + uOkSearchRequestVarargs);
+    c.search(s);
+  }
+
+  // Spring LDAP
+  public void testSpringBad1(@RequestParam String sBad, @RequestParam String sBadDN, LdapTemplate c) {
+    c.search("ou=system" + sBadDN, "(uid=" + sBad + ")", 1, false, null);
+  }
+
+  public void testSpringBad2(@RequestParam String sBad, @RequestParam String sBadDNLNBuilder, LdapTemplate c) {
+    c.authenticate(LdapNameBuilder.newInstance("ou=system" + sBadDNLNBuilder).build(), "(uid=" + sBad + ")", "pass");
+  }
+
+  public void testSpringBad3(@RequestParam String sBad, @RequestParam String sBadDNLNBuilderAdd, LdapTemplate c) {
+    c.searchForObject(LdapNameBuilder.newInstance().add("ou=system" + sBadDNLNBuilderAdd).build(), "(uid=" + sBad + ")", null);
+  }
+
+  public void testSpringBad4(@RequestParam String sBadLdapQuery, LdapTemplate c) {
+    c.findOne(LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery + ")"), null);
+  }
+
+  public void testSpringBad5(@RequestParam String sBadFilter, @RequestParam String sBadDNLdapUtils, LdapTemplate c) {
+    c.find(LdapUtils.newLdapName("ou=system" + sBadDNLdapUtils), new HardcodedFilter("(uid=" + sBadFilter + ")"), null, null);
+  }
+
+  public void testSpringBad6(@RequestParam String sBadLdapQuery, LdapTemplate c) {
+    c.searchForContext(LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery + ")"));
+  }
+
+  public void testSpringBad7(@RequestParam String sBadLdapQuery2, LdapTemplate c) {
+    LdapQuery q = LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery2 + ")");
+    c.searchForContext(q);
+  }
+
+  public void testSpringBad8(@RequestParam String sBadLdapQueryWithFilter, LdapTemplate c) {
+    c.searchForContext(LdapQueryBuilder.query().filter(new HardcodedFilter("(uid=" + sBadLdapQueryWithFilter + ")")));
+  }
+
+  public void testSpringBad9(@RequestParam String sBadLdapQueryWithFilter2, LdapTemplate c) {
+    org.springframework.ldap.filter.Filter f = new HardcodedFilter("(uid=" + sBadLdapQueryWithFilter2 + ")");
+    c.searchForContext(LdapQueryBuilder.query().filter(f));
+  }
+
+  public void testSpringBad10(@RequestParam String sBadLdapQueryBase, LdapTemplate c) {
+    c.find(LdapQueryBuilder.query().base(sBadLdapQueryBase).base(), null, null, null);
+  }
+
+  public void testSpringBad11(@RequestParam String sBadLdapQueryComplex, LdapTemplate c) {
+    c.searchForContext(LdapQueryBuilder.query().base(sBadLdapQueryComplex).where("uid").is("test"));
+  }
+
+  public void testSpringBad12(@RequestParam String sBadFilterToString, LdapTemplate c) {
+    c.search("", new HardcodedFilter("(uid=" + sBadFilterToString + ")").toString(), 1, false, null);
+  }
+
+  public void testSpringBad13(@RequestParam String sBadFilterEncode, LdapTemplate c) {
+    StringBuffer s = new StringBuffer();
+    new HardcodedFilter("(uid=" + sBadFilterEncode + ")").encode(s);
+    c.search("", s.toString(), 1, false, null);
+  }
+
+  public void testSpringOk1(@RequestParam String sOkLdapQuery, LdapTemplate c) {
+    c.find(LdapQueryBuilder.query().filter("(uid={0})", sOkLdapQuery), null);
+  }
+
+  public void testSpringOk2(@RequestParam String sOkFilter, @RequestParam String sOkDN, LdapTemplate c) {
+    c.find(LdapNameBuilder.newInstance().add("ou", sOkDN).build(), new EqualsFilter("uid", sOkFilter), null, null);
+  }
+
+  public void testSpringOk3(@RequestParam String sOkLdapQuery, @RequestParam String sOkPassword, LdapTemplate c) {
+    c.authenticate(LdapQueryBuilder.query().filter("(uid={0})", sOkLdapQuery), sOkPassword);
+  }
+
+  // Apache LDAP API
+  public void testApacheBad1(@RequestParam String aBad, @RequestParam String aBadDN, LdapConnection c)
+      throws LdapException {
+    c.search("ou=system" + aBadDN, "(uid=" + aBad + ")", null);
+  }
+
+  public void testApacheBad2(@RequestParam String aBad, @RequestParam String aBadDNObjToString, LdapNetworkConnection c)
+      throws LdapException {
+    c.search(new Dn("ou=system" + aBadDNObjToString).getName(), "(uid=" + aBad + ")", null);
+  }
+
+  public void testApacheBad3(@RequestParam String aBadSearchRequest, LdapConnection c)
+      throws LdapException {
+    org.apache.directory.api.ldap.model.message.SearchRequest s = new SearchRequestImpl();
+    s.setFilter("(uid=" + aBadSearchRequest + ")");
+    c.search(s);
+  }
+
+  public void testApacheBad4(@RequestParam String aBadSearchRequestImpl, @RequestParam String aBadDNObj, LdapConnection c)
+      throws LdapException {
+    SearchRequestImpl s = new SearchRequestImpl();
+    s.setBase(new Dn("ou=system" + aBadDNObj));
+    c.search(s);
+  }
+
+  public void testApacheBad5(@RequestParam String aBadDNSearchRequestGet, LdapConnection c)
+      throws LdapException {
+    org.apache.directory.api.ldap.model.message.SearchRequest s = new SearchRequestImpl();
+    s.setBase(new Dn("ou=system" + aBadDNSearchRequestGet));
+    c.search(s.getBase(), "(uid=test", null);
+  }
+
+  public void testApacheOk1(@RequestParam String aOk, LdapConnection c)
+      throws LdapException {
+    org.apache.directory.api.ldap.model.message.SearchRequest s = new SearchRequestImpl();
+    s.setFilter(new EqualityNode<String>("uid", aOk));
+    c.search(s);
+  }
+
+  public void testApacheOk2(@RequestParam String aOk, LdapConnection c)
+      throws LdapException {
+    SearchRequestImpl s = new SearchRequestImpl();
+    s.setFilter(new EqualityNode<String>("uid", aOk));
+    c.search(s);
+  }
+
+  // ESAPI encoder sanitizer
+  public void testOk3(@RequestParam String okEncodeForLDAP, DirContext ctx) throws NamingException {
+    Encoder encoder = DefaultEncoder.getInstance();
+    ctx.search("ou=system", "(uid=" + encoder.encodeForLDAP(okEncodeForLDAP) + ")", new SearchControls());
+  }
+
+  // Spring LdapEncoder sanitizer
+  public void testOk4(@RequestParam String okFilterEncode, DirContext ctx) throws NamingException {
+    ctx.search("ou=system", "(uid=" + LdapEncoder.filterEncode(okFilterEncode) + ")", new SearchControls());
+  }
+
+  // UnboundID Filter.encodeValue sanitizer
+  public void testOk5(@RequestParam String okUnboundEncodeValue, DirContext ctx) throws NamingException {
+    ctx.search("ou=system", "(uid=" + Filter.encodeValue(okUnboundEncodeValue) + ")", new SearchControls());
+  }
+}

java/ql/test/query-tests/security/CWE-090/LdapInjection.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-090/LdapInjection.ql

java/ql/test/query-tests/security/CWE-090/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/spring-ldap-2.3.2:${testdir}/../../../stubs/unboundid-ldap-4.0.14:${testdir}/../../../stubs/esapi-2.0.1:${testdir}/../../../stubs/apache-ldap-1.0.2

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/cursor/EntryCursor.java

@@ -0,0 +1,4 @@
+package org.apache.directory.api.ldap.model.cursor;
+
+public interface EntryCursor {
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/cursor/SearchCursor.java

@@ -0,0 +1,4 @@
+package org.apache.directory.api.ldap.model.cursor;
+
+public interface SearchCursor {
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/entry/Value.java

@@ -0,0 +1,4 @@
+package org.apache.directory.api.ldap.model.entry;
+
+public interface Value<T> {
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/exception/LdapException.java

@@ -0,0 +1,4 @@
+package org.apache.directory.api.ldap.model.exception;
+
+public class LdapException extends Exception {
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/exception/LdapInvalidDnException.java

@@ -0,0 +1,4 @@
+package org.apache.directory.api.ldap.model.exception;
+
+public class LdapInvalidDnException extends LdapException {
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/filter/EqualityNode.java

@@ -0,0 +1,8 @@
+package org.apache.directory.api.ldap.model.filter;
+
+import org.apache.directory.api.ldap.model.entry.Value;
+
+public class EqualityNode<T> implements ExprNode {
+  public EqualityNode(String attribute, Value<T> value) { }
+  public EqualityNode(String attribute, String value) { }
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/filter/ExprNode.java

@@ -0,0 +1,4 @@
+package org.apache.directory.api.ldap.model.filter;
+
+public interface ExprNode {
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/message/SearchRequest.java

@@ -0,0 +1,12 @@
+package org.apache.directory.api.ldap.model.message;
+
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.name.Dn;
+import org.apache.directory.api.ldap.model.filter.ExprNode;
+
+public interface SearchRequest {
+  Dn getBase();
+  SearchRequest setBase(Dn baseDn);
+  SearchRequest setFilter(ExprNode filter);
+  SearchRequest setFilter(String filter) throws LdapException;
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/message/SearchRequestImpl.java

@@ -0,0 +1,12 @@
+package org.apache.directory.api.ldap.model.message;
+
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.name.Dn;
+import org.apache.directory.api.ldap.model.filter.ExprNode;
+
+public class SearchRequestImpl implements SearchRequest {
+  public Dn getBase() { return null; }
+  public SearchRequest setBase(Dn baseDn) { return null; }
+  public SearchRequest setFilter(ExprNode filter) { return null; }
+  public SearchRequest setFilter(String filter) throws LdapException { return null; }
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/message/SearchScope.java

@@ -0,0 +1,4 @@
+package org.apache.directory.api.ldap.model.message;
+
+public enum SearchScope {
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/api/ldap/model/name/Dn.java

@@ -0,0 +1,8 @@
+package org.apache.directory.api.ldap.model.name;
+
+import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
+
+public class Dn {
+  public Dn(String... upRdns) throws LdapInvalidDnException { }
+  public String getName() { return null; }
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/ldap/client/api/LdapConnection.java

@@ -0,0 +1,17 @@
+package org.apache.directory.ldap.client.api;
+
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.cursor.EntryCursor;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.message.SearchRequest;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.api.ldap.model.name.Dn;
+
+public interface LdapConnection {
+  SearchCursor search(SearchRequest searchRequest) throws LdapException;
+
+  EntryCursor search(String baseDn, String filter, SearchScope scope, String... attributes) throws LdapException;
+
+  EntryCursor search(Dn baseDn, String filter, SearchScope scope, String... attributes) throws LdapException;
+
+}

java/ql/test/stubs/apache-ldap-1.0.2/org/apache/directory/ldap/client/api/LdapNetworkConnection.java

@@ -0,0 +1,16 @@
+package org.apache.directory.ldap.client.api;
+
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.cursor.EntryCursor;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.message.SearchRequest;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.api.ldap.model.name.Dn;
+
+public class LdapNetworkConnection implements LdapConnection {
+  public SearchCursor search(SearchRequest searchRequest) throws LdapException { return null; }
+
+  public EntryCursor search(String baseDn, String filter, SearchScope scope, String... attributes) throws LdapException { return null; }
+
+  public EntryCursor search(Dn baseDn, String filter, SearchScope scope, String... attributes) throws LdapException { return null; }
+}

java/ql/test/stubs/esapi-2.0.1/org/owasp/esapi/Encoder.java

@@ -0,0 +1,5 @@
+package org.owasp.esapi;
+
+public interface Encoder {
+  String encodeForLDAP(String input);
+}

java/ql/test/stubs/esapi-2.0.1/org/owasp/esapi/reference/DefaultEncoder.java

@@ -0,0 +1,8 @@
+package org.owasp.esapi.reference;
+
+import org.owasp.esapi.Encoder;
+
+public class DefaultEncoder implements Encoder {
+  public static Encoder getInstance() { return null; }
+  public String encodeForLDAP(String input) { return null; }
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/ContextMapper.java

@@ -0,0 +1,4 @@
+package org.springframework.ldap.core;
+
+public interface ContextMapper<T> {
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/DirContextOperations.java

@@ -0,0 +1,4 @@
+package org.springframework.ldap.core;
+
+public interface DirContextOperations {
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/LdapTemplate.java

@@ -0,0 +1,28 @@
+package org.springframework.ldap.core;
+
+import java.util.*;
+
+import javax.naming.Name;
+import javax.naming.directory.SearchControls;
+
+import org.springframework.ldap.filter.Filter;
+
+import org.springframework.ldap.query.LdapQuery;
+
+public class LdapTemplate {
+  public void authenticate(LdapQuery query, String password) { }
+
+  public boolean authenticate(Name base, String filter, String password) { return true; }
+
+  public <T> List<T> find(Name base, Filter filter, SearchControls searchControls, final Class<T> clazz) { return null; }
+
+  public <T> List<T> find(LdapQuery query, Class<T> clazz) { return null; }
+
+  public <T> T findOne(LdapQuery query, Class<T> clazz) { return null; }
+
+  public void search(String base, String filter, int searchScope, boolean returningObjFlag, NameClassPairCallbackHandler handler) { }
+
+  public DirContextOperations searchForContext(LdapQuery query) { return null; }
+
+  public <T> T searchForObject(Name base, String filter, ContextMapper<T> mapper) { return null; }
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/NameClassPairCallbackHandler.java

@@ -0,0 +1,3 @@
+package org.springframework.ldap.core;
+
+public interface NameClassPairCallbackHandler { }

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/filter/EqualsFilter.java

@@ -0,0 +1,5 @@
+package org.springframework.ldap.filter;
+
+public class EqualsFilter implements Filter {
+  public EqualsFilter(String attribute, String value) { }
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/filter/Filter.java

@@ -0,0 +1,4 @@
+package org.springframework.ldap.filter;
+
+public interface Filter {
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/filter/HardcodedFilter.java

@@ -0,0 +1,7 @@
+package org.springframework.ldap.filter;
+
+public class HardcodedFilter implements Filter {
+  public HardcodedFilter(String filter) { }
+  public StringBuffer encode(StringBuffer buff) { return buff; }
+  public String toString() { return ""; }
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/query/ConditionCriteria.java

@@ -0,0 +1,5 @@
+package org.springframework.ldap.query;
+
+public interface ConditionCriteria {
+  ContainerCriteria is(String value);
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/query/ContainerCriteria.java

@@ -0,0 +1,4 @@
+package org.springframework.ldap.query;
+
+public interface ContainerCriteria extends LdapQuery {
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/query/LdapQuery.java

@@ -0,0 +1,4 @@
+package org.springframework.ldap.query;
+
+public interface LdapQuery {
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/query/LdapQueryBuilder.java

@@ -0,0 +1,14 @@
+package org.springframework.ldap.query;
+
+import javax.naming.Name;
+import org.springframework.ldap.filter.Filter;
+
+public class LdapQueryBuilder {
+  public static LdapQueryBuilder query() { return null; }
+  public LdapQuery filter(String hardcodedFilter) { return null; }
+  public LdapQuery filter(Filter filter) { return null; }
+  public LdapQuery filter(String filterFormat, Object... params) { return null; }
+  public LdapQueryBuilder base(String baseDn) { return this; }
+  public Name base() { return null; }
+  public ConditionCriteria where(String attribute) { return null; }
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/support/LdapEncoder.java

@@ -0,0 +1,5 @@
+package org.springframework.ldap.support;
+
+public class LdapEncoder {
+  public static String filterEncode(String value) { return null; }
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/support/LdapNameBuilder.java

@@ -0,0 +1,12 @@
+package org.springframework.ldap.support;
+
+import javax.naming.ldap.LdapName;
+
+public class LdapNameBuilder {
+  public static LdapNameBuilder newInstance() { return null; }
+  public static LdapNameBuilder newInstance(String name) { return null; }
+
+  public LdapNameBuilder add(String name) { return null; }
+  public LdapNameBuilder add(String key, Object value) { return null; }
+  public LdapName build() { return null; }
+}

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/support/LdapUtils.java

@@ -0,0 +1,7 @@
+package org.springframework.ldap.support;
+
+import javax.naming.ldap.LdapName;
+
+public class LdapUtils {
+  public static LdapName newLdapName(String distinguishedName) { return null; }
+}

java/ql/test/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java

@@ -0,0 +1,8 @@
+package org.springframework.web.bind.annotation;
+
+import java.lang.annotation.*;
+
+@Target(value=ElementType.PARAMETER)
+@Retention(value=RetentionPolicy.RUNTIME)
+@Documented
+public @interface RequestParam { }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/AsyncRequestID.java

@@ -0,0 +1,3 @@
+package com.unboundid.ldap.sdk;
+
+public class AsyncRequestID { }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/DereferencePolicy.java

@@ -0,0 +1,3 @@
+package com.unboundid.ldap.sdk;
+
+public class DereferencePolicy { }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/Filter.java

@@ -0,0 +1,15 @@
+package com.unboundid.ldap.sdk;
+
+public class Filter {
+  public static Filter create(java.lang.String filterString) throws LDAPException { return null; }
+
+  public static Filter createNOTFilter(Filter notComponent) { return null; }
+
+  public static Filter createEqualityFilter(java.lang.String attributeName, java.lang.String assertionValue) { return null; }
+
+  public static java.lang.String encodeValue(java.lang.String value) { return null; }
+
+  public void toNormalizedString(java.lang.StringBuilder buffer) { }
+
+  public String toString() { return ""; }
+}

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/LDAPConnection.java

@@ -0,0 +1,21 @@
+package com.unboundid.ldap.sdk;
+
+public class LDAPConnection {
+  public AsyncRequestID asyncSearch(ReadOnlySearchRequest searchRequest) throws LDAPException { return null; }
+  public AsyncRequestID asyncSearch(SearchRequest searchRequest) throws LDAPException { return null; }
+
+  public SearchResult search(ReadOnlySearchRequest searchRequest) throws LDAPSearchException { return null; }
+  public SearchResult search(SearchRequest searchRequest) throws LDAPSearchException { return null; }
+
+  public SearchResult search(SearchResultListener searchResultListener, String baseDN, SearchScope scope, DereferencePolicy derefPolicy,
+                  int sizeLimit, int timeLimit, boolean typesOnly, Filter filter, String... attributes) throws LDAPSearchException { return null; }
+
+  public SearchResult search(SearchResultListener searchResultListener, String baseDN, SearchScope scope, DereferencePolicy derefPolicy,
+                  int sizeLimit, int timeLimit, boolean typesOnly, String filter, String... attributes) throws LDAPSearchException { return null; }
+
+  public SearchResult search(String baseDN, SearchScope scope, DereferencePolicy derefPolicy, int sizeLimit, int timeLimit,
+                  boolean typesOnly, String filter, String... attributes) throws LDAPSearchException { return null; }
+
+  public SearchResultEntry searchForEntry(String baseDN, SearchScope scope, DereferencePolicy derefPolicy, int timeLimit,
+                   boolean typesOnly, String filter, String... attributes) throws LDAPSearchException { return null; }
+}

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/LDAPException.java

@@ -0,0 +1,3 @@
+package com.unboundid.ldap.sdk;
+
+public class LDAPException extends Exception { }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/LDAPSearchException.java

@@ -0,0 +1,3 @@
+package com.unboundid.ldap.sdk;
+
+public class LDAPSearchException extends LDAPException { }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/ReadOnlySearchRequest.java

@@ -0,0 +1,5 @@
+package com.unboundid.ldap.sdk;
+
+public interface ReadOnlySearchRequest {
+  SearchRequest duplicate();
+}

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/SearchRequest.java

@@ -0,0 +1,17 @@
+package com.unboundid.ldap.sdk;
+
+public class SearchRequest implements ReadOnlySearchRequest {
+  public SearchRequest(String baseDN, SearchScope scope, String filter, String... attributes) throws LDAPException { }
+
+  public SearchRequest(SearchResultListener searchResultListener, String baseDN, SearchScope scope, DereferencePolicy derefPolicy,
+             int sizeLimit, int timeLimit, boolean typesOnly, Filter filter, String... attributes) { }
+
+  public SearchRequest(SearchResultListener searchResultListener, String baseDN, SearchScope scope, DereferencePolicy derefPolicy,
+             int sizeLimit, int timeLimit, boolean typesOnly, String filter, String... attributes) throws LDAPException { }
+
+  public SearchRequest duplicate() { return null; }
+
+  public void setBaseDN(String baseDN) { }
+
+  public void setFilter(String filter) throws LDAPException { }
+}

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/SearchResult.java

@@ -0,0 +1,3 @@
+package com.unboundid.ldap.sdk;
+
+public class SearchResult { }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/SearchResultEntry.java

@@ -0,0 +1,3 @@
+package com.unboundid.ldap.sdk;
+
+public class SearchResultEntry { }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/SearchResultListener.java

@@ -0,0 +1,3 @@
+package com.unboundid.ldap.sdk;
+
+public interface SearchResultListener { }

java/ql/test/stubs/unboundid-ldap-4.0.14/com/unboundid/ldap/sdk/SearchScope.java

@@ -0,0 +1,3 @@
+package com.unboundid.ldap.sdk;
+
+public class SearchScope { }