...
| Code Block | ||
|---|---|---|
| ||
// String userSN = "Sherlock Holmes"; // Valid
// String userPassword = "secret2"; // Valid
// ...beginning of LDAPInjection.searchRecord()...
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
String base = "dc=example,dc=com";
if (!userSN.matches("[\\w\\s]*") || !userPassword.matches("[\\w]*")) {
throw new IllegalArgumentException("Invalid input");
}
String filter = "(&(sn = " + userSN + ")(userPassword=" + userPassword + "))";
// ...remainder of LDAPInjection.searchRecord()...
|
When a database field such as a password must include special characters, it is critical to ensure that the authentic data is stored in sanitized form in the database and also that any user input is normalized before the validation or comparison takes place. We discourage use of Using characters that have special meanings in JNDI and LDAP in the absence of a comprehensive normalization and whitelisting-based routine is discouraged. Refer to IDS50-JG. Properly encode or escape output for examples of output encoding and escaping. Special characters must be transformed to sanitized safe values before they are added to the whitelist expression against which input will be validated. Likewise, normalization of user input (escaping and encoding) should occur before the validation step.
...