hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Adjust stubs and unit test.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2020-01-30 11:07:03 +01:00
parent 9391058363
commit ea3d7b1b2f
7 changed files with 34 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/test/query-tests/security/CWE-090/LdapInjection.java
View File

@@ -136,7 +136,7 @@ public class LdapInjection {
}
public void testUnboundBad9(@RequestParam String uBadFilterCreateToString, LDAPConnection c) throws LDAPException {
c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreateToString).toString()); // False Negative
c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreateToString).toString());
}
public void testUnboundBad10(@RequestParam String uBadFilterCreateToStringBuffer, LDAPConnection c) throws LDAPException {
@@ -241,7 +241,7 @@ public class LdapInjection {
}
public void testSpringBad12(@RequestParam String sBadFilterToString, LdapTemplate c) {
c.search("", new HardcodedFilter("(uid=" + sBadFilterToString + ")").toString(), 1, false, null); // False Negative
c.search("", new HardcodedFilter("(uid=" + sBadFilterToString + ")").toString(), 1, false, null);
}
public void testSpringBad13(@RequestParam String sBadFilterEncode, LdapTemplate c) {
@@ -270,7 +270,7 @@ public class LdapInjection {
public void testApacheBad2(@RequestParam String aBad, @RequestParam String aBadDNObjToString, LdapNetworkConnection c)
throws LdapException {
c.search(new Dn("ou=system" + aBadDNObjToString).getName(), "(uid=" + aBad + ")", null); // False Negative
c.search(new Dn("ou=system" + aBadDNObjToString).getName(), "(uid=" + aBad + ")", null);
}
public void testApacheBad3(@RequestParam String aBadSearchRequest, LdapConnection c)
@@ -311,12 +311,12 @@ public class LdapInjection {
// ESAPI encoder sanitizer
public void testOk3(@RequestParam String okEncodeForLDAP, DirContext ctx) throws NamingException {
Encoder encoder = DefaultEncoder.getInstance();
ctx.search("ou=system", "(uid=" + encoder.encodeForLDAP(okEncodeForLDAP) + ")", new SearchControls()); // False Positive
ctx.search("ou=system", "(uid=" + encoder.encodeForLDAP(okEncodeForLDAP) + ")", new SearchControls());
}
// Spring LdapEncoder sanitizer
public void testOk4(@RequestParam String okFilterEncode, DirContext ctx) throws NamingException {
ctx.search("ou=system", "(uid=" + LdapEncoder.filterEncode(okFilterEncode) + ")", new SearchControls()); // False Positive
ctx.search("ou=system", "(uid=" + LdapEncoder.filterEncode(okFilterEncode) + ")", new SearchControls());
}
// UnboundID Filter.encodeValue sanitizer