syjer
commented
5 years ago hi @360CodeSafe , actually the behavior is correct (or at least, it should be).
The controller ApplicationConfigurationController accept only users with the ADMINISTRATION role (https://github.com/digitalfondue/lavagna/blob/master/src/main/java/io/lavagna/web/api/ApplicationConfigurationController.java#L31).
The method that you have highlighted checkLdap() is called when the administrator is doing a setup of the ldap configuration, so it must be able to pass both the filter and the username.
In the normal login process, when authenticateWithParams() is called, the filter is the one configured by the administrator (at setup time OR during a later configuration), so it cannot modified by the user doing the login. Additionally the username is escaped using the Ldap.escapeLDAPSearchFilter (https://github.com/digitalfondue/lavagna/blob/master/src/main/java/io/lavagna/service/Ldap.java#L188) which has been imported from the OWASP page marked in the comment.
If you think that I've missed something, please feel free :)
SitoCH
HI! This is Qihoo360 CodeSafe Team, we found ldap injection vulnerability in lavagna in our open source code detection project. The details are as follows: In the checkLdap() in the ApplicationConfigurationController.java file, accept the parameters in the request and pass in authenticateWithParams() in Ldap.java
Finally, DirContext's search() is called. Since the filter parameter is controllable, the attacker can perform ldap injection by constructing parameters such as filter and username.