hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply suggestion from code review

Browse Source
This commit is contained in:
Grzegorz Golawski
2020-01-28 22:34:01 +01:00
parent 7b2192d2e3
commit bbcfbd7a28
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/src/Security/CWE/CWE-90/LdapInjection.qhelp
View File

@@ -11,10 +11,12 @@ is likely to be able to run malicious LDAP queries.</p>
<recommendation>
<p>If user input must be included in an LDAP query, it should be escaped to
avoid a malicious user providing special characters that change the meaning
of the query. If possible build the LDAP query (or search filter / DN) using your
framework helper methods to avoid string concatenation, or escape user input
using the right LDAP encoding method, for example encodeForLDAP from OWASP ESAPI,
LdapEncoder from Spring LDAP or Filter.encodeValue from UnboundID library.</p>
of the query. If possible build the LDAP query using framework helper methods, for example
from Spring's <code>LdapQueryBuilder</code> and <code>LdapNameBuilder</code>,
instead of string concatenation. Alternatively, escape user input using an appropriate
LDAP encoding method, for example: <code>encodeForLDAP</code> or </code>encodeForDN</code>
from OWASP ESAPI, <code>LdapEncoder.filterEncode</code> or <code>LdapEncoder.nameEncode</code>
from Spring LDAP, or <code>Filter.encodeValue</code> from UnboundID library.</p>
</recommendation>
<example>