JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
Java

JAVA.INSEC.LDAP.POISON : Potential LDAP Poisoning (Java)

Summary

An LDAP poisoning attack seems possible.

Queries against LDAP databases return objects representing data stored in the database. Modifications to such objects should not be reflected into actual updates to the database, or otherwise everybody holding a reference to such objects might corrupt the database, in a kind of attack known as LDAP poisoning. This checker identifies such situations. Transactions without access control and authentication can be made with an un-authenticated LDAP connection. The checker warns about these issue too.

Properties

Class Name Potential LDAP Poisoning (Java)
Significance security
Mnemonic JAVA.INSEC.LDAP.POISON
Categories
CWE CWE:349 Acceptance of Extraneous Untrusted Data With Trusted Data
OWASP-2021 OWASP-2021:A8 Software and data integrity failures
OWASP-2025 OWASP-2025:A08 Software or Data Integrity Failures
Availability Available for Java and Kotlin.
Enabling Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += discard class="Potential LDAP Poisoning (Java)"

Example 

import java.util.ArrayList;
import java.util.List;
import java.util.Properties;

import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;

import com.juliasoft.julia.extraction.EntryPoint;

public class LdapPoisoning {

  public @EntryPoint List<Object> search(int controls, String[] attributes, String base, String filter, String[] args)
                                      throws NamingException {
    LdapContext ctx = null;
    List<Object> result = new ArrayList<>();

    try {
      Properties env = createEnvironment();    
      ctx = new InitialLdapContext(env, null); // LDAP Authentication Disabled (Java) warning issued here 


      SearchControls ctls = new SearchControls();
      ctls.setSearchScope(controls);
      ctls.setReturningAttributes(attributes);
      ctls.setReturningObjFlag(true);          // Potential LDAP Poisoning (Java) warning issued here 

      NamingEnumeration<SearchResult> enm = ctx.search(base, filter, args, ctls);
      while (enm.hasMoreElements()) {
        SearchResult sr = enm.nextElement();
        result.add(sr.getObject());                /* Previous setReturningObjFlag(true) means that modifications 
                                                    * to the object returned by sr.getObject() can be reflected into the database.
                                                    */
      }
    }
    catch (NamingException ne) {
      throw ne;
    }
    finally {
      if (ctx != null)
        ctx.close();
    }

    return result;                                 /* 'result' list returned by search() contains   
                                                    * an object whose modifications can be reflected into the database.
                                                    */
  }

  public boolean exists(String dn) throws NamingException {
    Properties env = createEnvironment();
    LdapContext ctx = new InitialLdapContext(env, null);
    SearchControls ctls = new SearchControls();
    ctls.setSearchScope(SearchControls.OBJECT_SCOPE);
    ctls.setReturningAttributes(new String[0]);
    ctls.setReturningObjFlag(false);                            // ok: flag set to false 

    try {
      ctx.search(dn, "(objectClass=*)", ctls);
      return true;
    }
    catch (NameNotFoundException nne) {
      return false;
    }
  }

  protected Properties createEnvironment() {
    Properties env = new Properties();
    env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.setProperty(Context.PROVIDER_URL, "www.juliasoft.com");
    env.setProperty(Context.OBJECT_FACTORIES, "my.factory");
    env.setProperty(Context.SECURITY_PRINCIPAL, "user");
    env.setProperty(Context.SECURITY_CREDENTIALS, "verysecretpassword");
    env.setProperty(Context.SECURITY_AUTHENTICATION, "none"); // Disables authentication, leading to the "LDAP Authentication Disabled (Java)" warning above. 
    return env;
  }
}

Resolution

Do not allow LDAP queries to return objects whose modification gets reflected into the database. Typically, a specific flag should not be set for such queries. Do not create un-authenticated LDAP connection.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.

 

To report problems with this documentation, please visit https://support.codesecure.com/.