search

fusioncop / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Need encoder for LDAP Interchange Format (LDIF) #196

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
There are presently (as of ESAPI 2.0_rc10) two encoders that are LDAP-related:
1) Encoder.encodeForDN(String)
2) Encoder.encodeForLDAP(String)

Neither of these seem to properly handle the context where the format would be 
something that requires user input that is formated as LDIF input. (Generally, 
such a mechanism might be used to create users or modify user attributes, 
especially when done en masse in batch mode.)

According to 
<http://download.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html>, the 
following cases must be quoted using a backslash character ("\") when they 
appear in a "name":

1) A space or "#" character occurring at the beginning of the string
2) A space character occurring at the end of the string
3) One of the characters ",", "+", """, "\", "<", ">" or ";

(However, it should be noted that the above mentioned URL states that this 
quoting is specially only intended for LDAP <i>names</i>, meaning that the 
rules may or may not apply to <i>values</i>, such as attribute values. Whether 
or not they are permitted for attribute values depends on the application 
context and the LDAP schema definition for that specific LDAP attribute.)

Clearly, #1 and #2 apply to user input that is transformed as LDIF input, but 
such is not the case for #3. (AFAICT, case #3 is seems to be more primarily 
intended for constructing DNs and LDAP search filters, but it seems to omit 
some import characters there as well, such as "(", ")", "&", and "|", which 
could be used to maliciously alter an LDAP search filter if not properly 
quoted.)

Places where providing LDIF input is common is when two companies are setting 
up federated or otherwise shared user identities in their directories. During 
these times, one company often shares an LDIF file the other company to import 
into their directory. (Such occurrence is commonplace during mergers and 
acquisitions.)

Currently, ESAPI has no way of dealing with such cases. In order to make LDAP 
encoding complete so that LDAP injection is addressed in this context as well, 
ESAPI should provide a standard way of encoding LDIF input as well. If user 
input comes in the way of LDIF, then other characters may need to be quoted as 
well. (Specifically, end-of-line terminators may need to be quoted to prevent 
newline injection which might be used to inject unintended LDAP attributes.)

Original issue reported on code.google.com by kevin.w.wall@gmail.com on 31 Dec 2010 at 11:54

GoogleCodeExporter commented 9 years ago 
I can do EncodeForLdap and EncodeForDN however the output when passed through 
canonicalize, is garbage. 

Try using test string - "Hi (This) ="
Here "(" is converted to \28 on encoding. On decoding it gets converted to 
Character 2 which is stx i.e. nothing.

Please help.

Original comment by shilpi.a...@gmail.com on 28 Sep 2012 at 11:14