/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE90_LDAP_Injection__getQueryString_Servlet_10.java Label Definition File: CWE90_LDAP_Injection.label.xml Template File: sources-sink-10.tmpl.java */ /* * @description * CWE: 90 LDAP Injection * BadSource: getQueryString_Servlet Parse id param out of the URL query string (without using getParameter()) * GoodSource: A hardcoded string * BadSink: data concatenated into LDAP search, which could result in LDAP Injection * Flow Variant: 10 Control flow: if(IO.staticTrue) and if(IO.staticFalse) * * */ package testcases.CWE90_LDAP_Injection; import testcasesupport.*; import javax.servlet.http.*; import java.util.StringTokenizer; import javax.naming.*; import javax.naming.directory.*; import java.util.Hashtable; import java.util.logging.Level; public class CWE90_LDAP_Injection__getQueryString_Servlet_10 extends AbstractTestCaseServlet { /* uses badsource and badsink */ public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.staticTrue) { data = ""; /* initialize data in case id is not in query string */ /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */ { StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&"); while (tokenizer.hasMoreTokens()) { String token = tokenizer.nextToken(); /* a token will be like "id=foo" */ if(token.startsWith("id=")) /* check if we have the "id" parameter" */ { data = token.substring(3); /* set data to "foo" */ break; /* exit while loop */ } } } } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } /* goodG2B1() - use goodsource and badsink by changing IO.staticTrue to IO.staticFalse */ private void goodG2B1(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.staticFalse) { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } else { /* FIX: Use a hardcoded string */ data = "foo"; } Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } /* goodG2B2() - use goodsource and badsink by reversing statements in if */ private void goodG2B2(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; if (IO.staticTrue) { /* FIX: Use a hardcoded string */ data = "foo"; } else { /* INCIDENTAL: CWE 561 Dead Code, the code below will never run * but ensure data is inititialized before the Sink to avoid compiler errors */ data = null; } Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } public void good(HttpServletRequest request, HttpServletResponse response) throws Throwable { goodG2B1(request, response); goodG2B2(request, response); } /* Below is the main(). It is only used when building this testcase on * its own for testing or for building a binary to use in testing binary * analysis tools. It is not used when compiling all the testcases as one * application, which is how source code analysis tools are tested. */ public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException { mainFromParent(args); } }