hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.21.3
codeql/csharp/ql/test/query-tests/Security Features/CWE-090/LDAPInjection.cs
Ed Minnix e84a509976 Modify test cases
2024-03-01 12:51:56 -05:00

61 lines
2.1 KiB
C#
Raw Permalink Blame History

using System;
using System.Data.SqlClient;
using System.DirectoryServices;
using System.DirectoryServices.Protocols;
using System.Web;
using System.Xml;
public class LDAPInjectionHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
string userName = ctx.Request.QueryString["username"];
// BAD: Filter includes user input without encoding
DirectorySearcher ds = new DirectorySearcher("accountname=" + userName);
DirectorySearcher ds2 = new DirectorySearcher();
ds.Filter = "accountname=" + userName;
// GOOD: Filter includes user input with encoding
DirectorySearcher ds3 = new DirectorySearcher("accountname=" + LDAPEncode(userName));
// BAD: SearchRequest Filter includes user input without encoding
SearchRequest sr = new SearchRequest();
sr.Filter = "accountname=" + userName;
SearchRequest sr2 = new SearchRequest(null, "accountname=" + userName, System.DirectoryServices.Protocols.SearchScope.Base, null);
// BAD: Distinguished Name includes user input without encoding
DirectoryEntry de = new DirectoryEntry("LDAP://Cn=" + userName);
DirectoryEntry de2 = new DirectoryEntry();
de2.Path = "LDAP://Cn=" + userName;
using (SqlConnection connection = new SqlConnection(""))
{
connection.Open();
SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
SqlDataReader customerReader = customerCommand.ExecuteReader();
while (customerReader.Read())
{
// BAD: Read from database, write it straight to a response
DirectorySearcher ds4 = new DirectorySearcher("accountname=" + customerReader.GetString(1));
}
customerReader.Close();
}
}
public string LDAPEncode(string value)
{
// Query identifies encoders by method name only, so the body is not important
return value;
}
public bool IsReusable
{
get
{
return true;
}
}
}
Reference in New Issue View Git Blame Copy Permalink