This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Preventing LDAP Injection in Java"
From OWASP
(Added optimized version) |
m (Optimized code + test cases) |
||
| Line 11: | Line 11: | ||
<em>Note: This is untested code</em> --[[User:Stephendv|Stephendv]] 05:08, 10 July 2006 (EDT) | <em>Note: This is untested code</em> --[[User:Stephendv|Stephendv]] 05:08, 10 July 2006 (EDT) | ||
| + | <em>The backslash replacement and "," are not working</em> --[[User:Thierry.deleeuw|Thierry.deleeuw]] 17:11, 29 April 2007 (EDT) | ||
public String escapeDN (String name) { | public String escapeDN (String name) { | ||
//From RFC 2253 and the / character for JNDI | //From RFC 2253 and the / character for JNDI | ||
| Line 16: | Line 17: | ||
String escapedStr = new String(name); | String escapedStr = new String(name); | ||
//Backslash is both a Java and an LDAP escape character, so escape it first | //Backslash is both a Java and an LDAP escape character, so escape it first | ||
| − | escapedStr = escapedStr.replaceAll("\\\\","\\\\"); | + | escapedStr = escapedStr.replaceAll("\\\\","\\\\"); |
//Positional characters - see RFC 2253 | //Positional characters - see RFC 2253 | ||
escapedStr = escapedStr.replaceAll("^#","\\\\#"); | escapedStr = escapedStr.replaceAll("^#","\\\\#"); | ||
| Line 39: | Line 40: | ||
} | } | ||
| − | Optimized version of the previous code | + | Optimized version of the previous code (about 8 times faster for escaping LDAP search and 13 times for escapeDN on my PC).--[[User:Thierry.deleeuw|Thierry.deleeuw]] 17:11, 29 April 2007 (EDT) |
| − | + | public static String escapeDN(String name) { | |
| − | + | StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder | |
| − | + | if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) { | |
| − | + | sb.append('\\'); // add the leading backslash if needed | |
| − | + | } | |
| − | + | for (int i = 0; i < name.length(); i++) { | |
| + | char curChar = name.charAt(i); | ||
| + | switch (curChar) { | ||
| + | case '\\': | ||
| + | sb.append("\\\\"); | ||
| + | break; | ||
| + | case ',': | ||
| + | sb.append("\\,"); | ||
| + | break; | ||
| + | case '+': | ||
| + | sb.append("\\+"); | ||
| + | break; | ||
| + | case '"': | ||
| + | sb.append("\\\""); | ||
| + | break; | ||
| + | case '<': | ||
| + | sb.append("\\<"); | ||
| + | break; | ||
| + | case '>': | ||
| + | sb.append("\\>"); | ||
| + | break; | ||
| + | case ';': | ||
| + | sb.append("\\;"); | ||
| + | break; | ||
| + | default: | ||
| + | sb.append(curChar); | ||
| + | } | ||
| + | } | ||
| + | if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) { | ||
| + | sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed | ||
| + | } | ||
| + | return sb.toString(); | ||
| + | } | ||
public static final String escapeLDAPSearchFilter(String filter) { | public static final String escapeLDAPSearchFilter(String filter) { | ||
| − | // | + | StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder |
| − | + | for (int i = 0; i < filter.length(); i++) { | |
| − | + | char curChar = filter.charAt(i); | |
| − | + | switch (curChar) { | |
| − | + | case '\\': | |
| − | + | sb.append("\\5c"); | |
| − | + | break; | |
| − | + | case '*': | |
| − | + | sb.append("\\2a"); | |
| − | + | break; | |
| − | + | case '(': | |
| − | return | + | sb.append("\\28"); |
| + | break; | ||
| + | case ')': | ||
| + | sb.append("\\29"); | ||
| + | break; | ||
| + | case '\u0000': | ||
| + | sb.append("\\00"); | ||
| + | break; | ||
| + | default: | ||
| + | sb.append(curChar); | ||
| + | } | ||
| + | } | ||
| + | return sb.toString(); | ||
} | } | ||
| + | |||
| + | Test class: | ||
| + | |||
| + | //escapeDN | ||
| + | assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé")); | ||
| + | assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé")); | ||
| + | assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé")); | ||
| + | assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé ")); | ||
| + | assertEquals("only 3 spaces", "\\ \\ ", escapeDN(" ")); | ||
| + | assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\<big\\>\\, \\\"World\\\" \\;\\ ", escapeDN(" Hello\\ + <big>, \"World\" ; ")); | ||
| + | |||
| + | assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà")); | ||
| + | assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô")); | ||
| + | |||
[[Category:OWASP Java Project]] | [[Category:OWASP Java Project]] | ||
Revision as of 21:11, 29 April 2007
This article is being discussed.
The best way to prevent LDAP injection is to use a positive validation scheme for ensuring that the data going into your queries doesn't contain any attacks. You can read more in the OWASP Guide about input validation.
However, in some cases, it is necessary to include special characters in input that is passed into an LDAP query. In this case, using escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query. Rather, the encoding lets the interpreter treat those special characters as data.
Here are a few methods for escaping certain meta-characters in LDAP queries. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries.
The examples below present Java methods that could be used to perform this escaping:
Note: This is untested code --Stephendv 05:08, 10 July 2006 (EDT) The backslash replacement and "," are not working --Thierry.deleeuw 17:11, 29 April 2007 (EDT)
public String escapeDN (String name) {
//From RFC 2253 and the / character for JNDI
final char[] META_CHARS = {'+', '"', '<', '>', ';', '/'};
String escapedStr = new String(name);
//Backslash is both a Java and an LDAP escape character, so escape it first
escapedStr = escapedStr.replaceAll("\\\\","\\\\");
//Positional characters - see RFC 2253
escapedStr = escapedStr.replaceAll("^#","\\\\#");
escapedStr = escapedStr.replaceAll("^ | $","\\\\ ");
for (int i=0;i < META_CHARS.length;i++) {
escapedStr = escapedStr.replaceAll("\\"+META_CHARS[i],"\\\\" + META_CHARS[i]);
}
return escapedStr;
}
Note, that the backslash character is a Java String literal and a regular expression escape character.
public String escapeSearchFilter (String filter) {
//From RFC 2254
String escapedStr = new String(filter);
escapedStr = escapedStr.replaceAll("\\\\","\\\\5c");
escapedStr = escapedStr.replaceAll("\\*","\\\\2a");
escapedStr = escapedStr.replaceAll("\\(","\\\\28");
escapedStr = escapedStr.replaceAll("\\)","\\\\29");
escapedStr = escapedStr.replaceAll("\\"+Character.toString('\u0000'), "\\\\00");
return escapedStr;
}
Optimized version of the previous code (about 8 times faster for escaping LDAP search and 13 times for escapeDN on my PC).--Thierry.deleeuw 17:11, 29 April 2007 (EDT)
public static String escapeDN(String name) {
StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
if ((name.length() > 0) && ((name.charAt(0) == ' ') || (name.charAt(0) == '#'))) {
sb.append('\\'); // add the leading backslash if needed
}
for (int i = 0; i < name.length(); i++) {
char curChar = name.charAt(i);
switch (curChar) {
case '\\':
sb.append("\\\\");
break;
case ',':
sb.append("\\,");
break;
case '+':
sb.append("\\+");
break;
case '"':
sb.append("\\\"");
break;
case '<':
sb.append("\\<");
break;
case '>':
sb.append("\\>");
break;
case ';':
sb.append("\\;");
break;
default:
sb.append(curChar);
}
}
if ((name.length() > 1) && (name.charAt(name.length() - 1) == ' ')) {
sb.insert(sb.length() - 1, '\\'); // add the trailing backslash if needed
}
return sb.toString();
}
public static final String escapeLDAPSearchFilter(String filter) {
StringBuffer sb = new StringBuffer(); // If using JDK >= 1.5 consider using StringBuilder
for (int i = 0; i < filter.length(); i++) {
char curChar = filter.charAt(i);
switch (curChar) {
case '\\':
sb.append("\\5c");
break;
case '*':
sb.append("\\2a");
break;
case '(':
sb.append("\\28");
break;
case ')':
sb.append("\\29");
break;
case '\u0000':
sb.append("\\00");
break;
default:
sb.append(curChar);
}
}
return sb.toString();
}
Test class:
//escapeDN
assertEquals("No special characters to escape", "Helloé", escapeDN("Helloé"));
assertEquals("leading #", "\\# Helloé", escapeDN("# Helloé"));
assertEquals("leading space", "\\ Helloé", escapeDN(" Helloé"));
assertEquals("trailing space", "Helloé\\ ", escapeDN("Helloé "));
assertEquals("only 3 spaces", "\\ \\ ", escapeDN(" "));
assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\<big\\>\\, \\\"World\\\" \\;\\ ", escapeDN(" Hello\\ + , \"World\" ; "));
assertEquals("No special characters to escape", "Hi This is a test #çà", SecTool.escapeLDAPSearchFilter("Hi This is a test #çà"));
assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ç à ô", SecTool.escapeLDAPSearchFilter("Hi (This) = is * a \\ test # ç à ô"));
