- Java ldap query tool generator#
- Java ldap query tool archive#
- Java ldap query tool android#
- Java ldap query tool code#
The LDAP query is executed using Java JNDI API. A malicious user could provide special characters to change the meaning of these queries, and search for a completely different set of values. The first example concatenates the unvalidated and unencoded user input directly into both the DN (Distinguished Name) and the search filter used for the LDAP query.
In the following examples, the code accepts an “organization name” and a “username” from the user, which it uses to query LDAP. Alternatively, escape user input using an appropriate LDAP encoding method, for example: encodeForLDAP or encodeForDN from OWASP ESAPI, LdapEncoder.filterEncode or LdapEncoder.nameEncode from Spring LDAP, or Filter.encodeValue from UnboundID library. If possible build the LDAP query using framework helper methods, for example from Spring’s LdapQueryBuilder and LdapNameBuilder, instead of string concatenation. If user input must be included in an LDAP query, it should be escaped to avoid a malicious user providing special characters that change the meaning of the query. If an LDAP query is built using string concatenation, and the components of the concatenation include user input, a user is likely to be able to run malicious LDAP queries.
TrustManager that accepts all certificatesĬlick to see the query in the CodeQL repository. XSLT transformation with user-controlled stylesheet. Whitespace contradicts operator precedence. User-controlled data used in permissions check. User-controlled data in arithmetic expression. User-controlled bypass of sensitive method. Use of externally-controlled format string. Use of a predictable seed in a secure random number generator. Use of a potentially dangerous function. Use of a potentially broken or risky cryptographic algorithm. Use of a broken or risky cryptographic algorithm. Unsafe resource fetching in Android WebView. Uncontrolled data used in path expression. Uncontrolled data in arithmetic expression. Type mismatch on container modification. Time-of-check time-of-use race condition. Synchronization on boxed types or strings. Serialization methods do not match required signature. Serializable inner class of non-serializable class. Result of multiplication cast to wider type. Resolving XML external entity in user-controlled data. ReadResolve must have Object return type, not void. Race condition in socket authentication. Race condition in double-checked locking object initialization. Query built without neutralizing special characters. Query built from user-controlled sources. OGNL Expression Language statement with user-controlled input. Non-synchronized override of synchronized method. Non-final method invocation in constructor. Local information disclosure in a temporary directory. Leaking sensitive information through an implicit Intent. LDAP query built from user-controlled sources. Insertion of sensitive information into log files. Information exposure through a stack trace. Incorrect absolute value of random number. Inconsistent synchronization of getter and setter. Inconsistent synchronization for writeObject(). Improper validation of user-provided size used for array construction. Improper validation of user-provided array index. Implicit narrowing conversion in compound assignment. Implicit conversion from array to string. Hashed value without hashCode definition. Failure to use HTTPS or SFTP URL in Maven artifact upload/download. Externalizable but no public no-argument constructor. Expression always evaluates to the same value. Executing a command with a relative path.Equals method does not inspect argument type.Double-checked locking is not thread-safe.Detect JHipster Generator Vulnerability CVE-2019-16303.Deserialization of user-controlled data.Deprecated method or constructor invocation.Depending upon JCenter/Bintray as an artifact repository.
Continue statement that does not continue. Container contents are never initialized. Confusing non-overriding of package-private method. Confusing method names because of capitalization. Comparison of narrow type with wide type in loop condition. Cleartext storage of sensitive information using a local database on Android. Cleartext storage of sensitive information using SharedPreferences on Android. Cleartext storage of sensitive information using ‘Properties’ class. Cleartext storage of sensitive information in the Android filesystem. Cleartext storage of sensitive information in cookie. Character passed to StringBuffer or StringBuilder constructor. Cast from abstract to concrete collection. Building a command line with string concatenation.
Arbitrary file write during archive extraction (”Zip Slip”). Android fragment injection in PreferenceActivity.