Documentation changes

2026-04-25 08:45:14 +02:00 · 2023-03-10 14:48:41 -05:00
parent 752620a34d
commit cb58936c08
5 changed files with 55 additions and 28 deletions
--- a/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.java
+++ b/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.java
@@ -1,24 +0,0 @@
-public class InsecureLdapAuth {
-	/** LDAP authentication */	
-	public DirContext ldapAuth(String ldapUserName, String password) {
-		{
-			// BAD: LDAP authentication in cleartext
-			String ldapUrl = "ldap://ad.your-server.com:389";
-		}
-
-		{
-			// GOOD: LDAPS authentication over SSL
-			String ldapUrl = "ldaps://ad.your-server.com:636";
-		}
-
-		Hashtable<String, String> environment = new Hashtable<String, String>();
-		environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
-		environment.put(Context.PROVIDER_URL, ldapUrl);
-		environment.put(Context.REFERRAL, "follow");
-		environment.put(Context.SECURITY_AUTHENTICATION, "simple");
-		environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
-		environment.put(Context.SECURITY_CREDENTIALS, password);
-		DirContext dirContext = new InitialDirContext(environment);
-		return dirContext;
-	}
-}
--- a/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
+++ b/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.qhelp
@@ -2,16 +2,40 @@
 <qhelp>

  <overview>
-    <p>When using the Java LDAP API to perform LDAPv3-style extended operations and controls, a context with connection properties including user credentials is started. Transmission of LDAP credentials in cleartext allows remote attackers to obtain sensitive information by sniffing the network.</p>
+    <p>
+      When using the Java LDAP API to perform LDAPv3-style extended operations
+      and controls, a context with connection properties including user
+      credentials is started. Transmission of LDAP credentials in cleartext
+      allows remote attackers to obtain sensitive information by sniffing the
+      network.
+    </p>
  </overview>

  <recommendation>
-    <p>Use LDAPS to send credentials through SSL or use SASL authentication.</p>
+    <p>
+      Use the <code>ldaps://</code> protocol to send credentials through SSL or
+      use SASL authentication.
+    </p>
  </recommendation>

  <example>
-    <p>The following example shows two ways of using LDAP authentication. In the 'BAD' case, the credentials are transmitted in cleartext. In the 'GOOD' case, the credentials are transmitted over SSL.</p>
-    <sample src="InsecureLdapAuth.java" />
+    <p>
+      In the following (bad) example, a <code>ldap://</code> URL is used and
+      credentials will be sent in plaintext.
+    </p>
+    <sample src="LdapAuthUseLdap.java"/>
+
+    <p>
+      In the following (good) example, a <code>ldaps://</code> URL is used so
+      credentials will be encrypted with SSL.
+    </p>
+    <sample src="LdapAuthUseLdaps.java"/>
+
+    <p>
+      In the following (good) example, a <code>ldap://</code> URL is used, but
+      SASL authentication is enabled.
+    </p>
+    <sample src="LdapEnableSasl.java"/>
  </example>

  <references>
--- a/java/ql/src/Security/CWE/CWE-522/LdapAuthUseLdap.java
+++ b/java/ql/src/Security/CWE/CWE-522/LdapAuthUseLdap.java
@@ -0,0 +1,9 @@
+String ldapUrl = "ldap://ad.your-server.com:389";
+Hashtable<String, String> environment = new Hashtable<String, String>();
+environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+environment.put(Context.PROVIDER_URL, ldapUrl);
+environment.put(Context.REFERRAL, "follow");
+environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+environment.put(Context.SECURITY_CREDENTIALS, password);
+DirContext dirContext = new InitialDirContext(environment);
--- a/java/ql/src/Security/CWE/CWE-522/LdapAuthUseLdaps.java
+++ b/java/ql/src/Security/CWE/CWE-522/LdapAuthUseLdaps.java
@@ -0,0 +1,9 @@
+String ldapUrl = "ldaps://ad.your-server.com:636";
+Hashtable<String, String> environment = new Hashtable<String, String>();
+environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+environment.put(Context.PROVIDER_URL, ldapUrl);
+environment.put(Context.REFERRAL, "follow");
+environment.put(Context.SECURITY_AUTHENTICATION, "simple");
+environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+environment.put(Context.SECURITY_CREDENTIALS, password);
+DirContext dirContext = new InitialDirContext(environment);
--- a/java/ql/src/Security/CWE/CWE-522/LdapEnableSasl.java
+++ b/java/ql/src/Security/CWE/CWE-522/LdapEnableSasl.java
@@ -0,0 +1,9 @@
+String ldapUrl = "ldap://ad.your-server.com:389";
+Hashtable<String, String> environment = new Hashtable<String, String>();
+environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+environment.put(Context.PROVIDER_URL, ldapUrl);
+environment.put(Context.REFERRAL, "follow");
+environment.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5 GSSAPI");
+environment.put(Context.SECURITY_PRINCIPAL, ldapUserName);
+environment.put(Context.SECURITY_CREDENTIALS, password);
+DirContext dirContext = new InitialDirContext(environment);