/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE90_LDAP_Injection__getQueryString_Servlet_17.java Label Definition File: CWE90_LDAP_Injection.label.xml Template File: sources-sink-17.tmpl.java */ /* * @description * CWE: 90 LDAP Injection * BadSource: getQueryString_Servlet Parse id param out of the URL query string (without using getParameter()) * GoodSource: A hardcoded string * BadSink: data concatenated into LDAP search, which could result in LDAP Injection * Flow Variant: 17 Control flow: for loops * * */ package testcases.CWE90_LDAP_Injection; import testcasesupport.*; import javax.servlet.http.*; import java.util.StringTokenizer; import javax.naming.*; import javax.naming.directory.*; import java.util.Hashtable; import java.util.logging.Level; public class CWE90_LDAP_Injection__getQueryString_Servlet_17 extends AbstractTestCaseServlet { /* uses badsource and badsink */ public void bad(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; data = ""; /* initialize data in case id is not in query string */ /* POTENTIAL FLAW: Parse id param out of the URL querystring (without using getParameter()) */ { StringTokenizer tokenizer = new StringTokenizer(request.getQueryString(), "&"); while (tokenizer.hasMoreTokens()) { String token = tokenizer.nextToken(); /* a token will be like "id=foo" */ if(token.startsWith("id=")) /* check if we have the "id" parameter" */ { data = token.substring(3); /* set data to "foo" */ break; /* exit while loop */ } } } for (int i = 0; i < 1; i++) { Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } } /* goodG2B() - use goodsource and badsink by reversing the block outside the * for statement with the one in the for statement */ private void goodG2B(HttpServletRequest request, HttpServletResponse response) throws Throwable { String data; /* FIX: Use a hardcoded string */ data = "foo"; for (int i = 0; i < 1; i++) { Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } } public void good(HttpServletRequest request, HttpServletResponse response) throws Throwable { goodG2B(request, response); } /* Below is the main(). It is only used when building this testcase on * its own for testing or for building a binary to use in testing binary * analysis tools. It is not used when compiling all the testcases as one * application, which is how source code analysis tools are tested. */ public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException { mainFromParent(args); } }