/* TEMPLATE GENERATED TESTCASE FILE Filename: CWE90_LDAP_Injection__listen_tcp_41.java Label Definition File: CWE90_LDAP_Injection.label.xml Template File: sources-sink-41.tmpl.java */ /* * @description * CWE: 90 LDAP Injection * BadSource: listen_tcp Read data using a listening tcp connection * GoodSource: A hardcoded string * BadSink: data concatenated into LDAP search, which could result in LDAP Injection * Flow Variant: 41 Data flow: data passed as an argument from one method to another in the same class * * */ package testcases.CWE90_LDAP_Injection; import testcasesupport.*; import javax.servlet.http.*; import java.io.BufferedReader; import java.io.InputStreamReader; import java.io.IOException; import java.net.Socket; import java.net.ServerSocket; import java.util.logging.Level; import javax.naming.*; import javax.naming.directory.*; import java.util.Hashtable; public class CWE90_LDAP_Injection__listen_tcp_41 extends AbstractTestCase { private void badSink(String data ) throws Throwable { Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } public void bad() throws Throwable { String data; data = ""; /* Initialize data */ /* Read data using a listening tcp connection */ { ServerSocket listener = null; Socket socket = null; BufferedReader readerBuffered = null; InputStreamReader readerInputStream = null; /* Read data using a listening tcp connection */ try { listener = new ServerSocket(39543); socket = listener.accept(); /* read input from socket */ readerInputStream = new InputStreamReader(socket.getInputStream(), "UTF-8"); readerBuffered = new BufferedReader(readerInputStream); /* POTENTIAL FLAW: Read data using a listening tcp connection */ data = readerBuffered.readLine(); } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error with stream reading", exceptIO); } finally { /* Close stream reading objects */ try { if (readerBuffered != null) { readerBuffered.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing BufferedReader", exceptIO); } try { if (readerInputStream != null) { readerInputStream.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing InputStreamReader", exceptIO); } /* Close socket objects */ try { if (socket != null) { socket.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing Socket", exceptIO); } try { if (listener != null) { listener.close(); } } catch (IOException exceptIO) { IO.logger.log(Level.WARNING, "Error closing ServerSocket", exceptIO); } } } badSink(data ); } public void good() throws Throwable { goodG2B(); } private void goodG2BSink(String data ) throws Throwable { Hashtable environmentHashTable = new Hashtable(); environmentHashTable.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory"); environmentHashTable.put(Context.PROVIDER_URL, "ldap://localhost:389"); DirContext directoryContext = null; try { directoryContext = new InitialDirContext(environmentHashTable); /* POTENTIAL FLAW: data concatenated into LDAP search, which could result in LDAP Injection */ String search = "(cn=" + data + ")"; NamingEnumeration answer = directoryContext.search("", search, null); while (answer.hasMore()) { SearchResult searchResult = answer.next(); Attributes attributes = searchResult.getAttributes(); NamingEnumeration allAttributes = attributes.getAll(); while (allAttributes.hasMore()) { Attribute attribute = (Attribute) allAttributes.next(); NamingEnumeration allValues = attribute.getAll(); while(allValues.hasMore()) { IO.writeLine(" Value: " + allValues.next().toString()); } } } } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "The LDAP service was not found or login failed.", exceptNaming); } finally { if (directoryContext != null) { try { directoryContext.close(); } catch (NamingException exceptNaming) { IO.logger.log(Level.WARNING, "Error closing DirContext", exceptNaming); } } } } /* goodG2B() - use goodsource and badsink */ private void goodG2B() throws Throwable { String data; /* FIX: Use a hardcoded string */ data = "foo"; goodG2BSink(data ); } /* Below is the main(). It is only used when building this testcase on * its own for testing or for building a binary to use in testing binary * analysis tools. It is not used when compiling all the testcases as one * application, which is how source code analysis tools are tested. */ public static void main(String[] args) throws ClassNotFoundException, InstantiationException, IllegalAccessException { mainFromParent(args); } }