JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
Java

JAVA.INSEC.LDAP.DA : LDAP Authentication Disabled (Java)

要旨

An LDAP connection is set up without authentication.

Queries against LDAP databases return objects representing data stored in the database. Modifications to such objects should not be reflected into actual updates to the database, or otherwise everybody holding a reference to such objects might corrupt the database, in a kind of attack known as LDAP poisoning. This checker identifies such situations. Transactions without access control and authentication can be made with an un-authenticated LDAP connection. The checker warns about these issue too.

プロパティ

クラス名 LDAP Authentication Disabled (Java)
日本語クラス名 LDAP Authentication Disabled (Java)
クラス分類 セキュリティ (security)
ニーモニック JAVA.INSEC.LDAP.DA
カテゴリー
CWE CWE:1390 Weak Authentication
CERT-Java CERT-Java:ENV01-J Place all security-sensitive code in a single JAR and sign and seal it
OWASP-2017 OWASP-2017:A2 Broken authentication
OWASP-2021 OWASP-2021:A7 Identification and authorization failures
OWASP-2025 OWASP-2025:A07 Authentication Failures
対応言語 Available for Java and Kotlin.
有効/無効設定 このワーニングクラスのチェックはデフォルトで有効になっています。チェックを無効にするにはプロジェクト設定ファイル (configuration file)に以下の WARNING_FILTER ルールを追加してください。 
WARNING_FILTER += discard class="LDAP Authentication Disabled (Java)"


import java.util.ArrayList;
import java.util.List;
import java.util.Properties;

import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;

import com.juliasoft.julia.extraction.EntryPoint;

public class LdapPoisoning {

  public @EntryPoint List<Object> search(int controls, String[] attributes, String base, String filter, String[] args)
                                      throws NamingException {
    LdapContext ctx = null;
    List<Object> result = new ArrayList<>();

    try {
      Properties env = createEnvironment();    
      ctx = new InitialLdapContext(env, null); // LDAP Authentication Disabled (Java) warning issued here 


      SearchControls ctls = new SearchControls();
      ctls.setSearchScope(controls);
      ctls.setReturningAttributes(attributes);
      ctls.setReturningObjFlag(true);          // Potential LDAP Poisoning (Java) warning issued here 

      NamingEnumeration<SearchResult> enm = ctx.search(base, filter, args, ctls);
      while (enm.hasMoreElements()) {
        SearchResult sr = enm.nextElement();
        result.add(sr.getObject());                /* Previous setReturningObjFlag(true) means that modifications 
                                                    * to the object returned by sr.getObject() can be reflected into the database.
                                                    */
      }
    }
    catch (NamingException ne) {
      throw ne;
    }
    finally {
      if (ctx != null)
        ctx.close();
    }

    return result;                                 /* 'result' list returned by search() contains   
                                                    * an object whose modifications can be reflected into the database.
                                                    */
  }

  public boolean exists(String dn) throws NamingException {
    Properties env = createEnvironment();
    LdapContext ctx = new InitialLdapContext(env, null);
    SearchControls ctls = new SearchControls();
    ctls.setSearchScope(SearchControls.OBJECT_SCOPE);
    ctls.setReturningAttributes(new String[0]);
    ctls.setReturningObjFlag(false);                            // ok: flag set to false 

    try {
      ctx.search(dn, "(objectClass=*)", ctls);
      return true;
    }
    catch (NameNotFoundException nne) {
      return false;
    }
  }

  protected Properties createEnvironment() {
    Properties env = new Properties();
    env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.setProperty(Context.PROVIDER_URL, "www.juliasoft.com");
    env.setProperty(Context.OBJECT_FACTORIES, "my.factory");
    env.setProperty(Context.SECURITY_PRINCIPAL, "user");
    env.setProperty(Context.SECURITY_CREDENTIALS, "verysecretpassword");
    env.setProperty(Context.SECURITY_AUTHENTICATION, "none"); // Disables authentication, leading to the "LDAP Authentication Disabled (Java)" warning above. 
    return env;
  }
}

解決法

Do not allow LDAP queries to return objects whose modification gets reflected into the database. Typically, a specific flag should not be set for such queries. Do not create un-authenticated LDAP connection.

関連のある設定ファイルパラメータ

設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。

 

To report problems with this documentation, please visit https://support.codesecure.com/.