Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4434

LDAP deserialization should be disabled

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Disable object deserialization
    • Highlighting:
      Hide

      DirContext.search() invocation

      Show
      DirContext.search() invocation
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      2min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-502
    • OWASP:
      A8
    • FindSecBugs:
      LDAP_ENTRY_POISONING

      Description

      JNDI supports the deserialization of objects from LDAP directories, which is fundamentally insecure and can lead to remote code execution.

      This rule raises an issue when an LDAP search query is executed with SearchControls configured to allow deserialization.

      Noncompliant Code Example

      DirContext ctx = new InitialDirContext();
      // ...
      ctx.search(query, filter,
              new SearchControls(scope, countLimit, timeLimit, attributes,
                  true, // Noncompliant; allows deserialization
                  deref));
      

      Compliant Solution

      DirContext ctx = new InitialDirContext();
      // ...
      ctx.search(query, filter,
              new SearchControls(scope, countLimit, timeLimit, attributes,
                  false,
                  deref));
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jeanchristophe.collet Jean-Christophe Collet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: