AWS logo
Amazon CodeGuruDetector Library

LDAP injection High

An LDAP query that relies on potentially untrusted inputs might allow attackers to inject unwanted elements into the query. This can allow attackers to read or modify sensitive data, run code, and perform other unwanted actions.

Detector ID
python/ldap-injection@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1from flask import app
2
3
4@app.route('/getUsers')
5def get_users_noncompliant():
6    import ldap
7    from flask import request
8    username = request.args['username']
9    filter_string = '(uid=' + username + ')'
10    ldap_conn = ldap.initialize('ldaps://ldap.amazon.com:636')
11    # Noncompliant: user-supplied filter is not sanitized.
12    result = ldap_conn.search_s('o=amazon.com',
13                                ldap.SCOPE_SUBTREE,
14                                filter_string)
15    return result

Compliant example

1from flask import app
2
3
4@app.route('/getUsers')
5def get_users_compliant(request):
6    import ldap
7    import re
8    from flask import request
9    username = request.args['username']
10    # Compliant: user-supplied filter is checked for allowed characters.
11    filter_string = "(uid=" + re.sub('[!@#$%^&*()_+-=]', '', username) + ")"
12    ldap_conn = ldap.initialize('ldaps://ldap.amazon.com:636')
13    result = ldap_conn.search('o=amazon.com',
14                              ldap.SCOPE_SUBTREE,
15                              filter_string)
16    return result