SonarQube didn't detect Critical Vulnerability - LDAP Injection

Andrzej · November 7, 2022, 12:47pm

Hello,

We found critical vulnerability, which wasn’t detected by SonarQube. The vulnerability is LDAP Injection, and our code is similiar to the one in example.

Vulnerable function:

public <T> T lookupByCn(String cn, String rootName, Class<T> aClass) throws Exception {
        DirContext ldapContext = new InitialDirContext(LDAP_ENV);
        try {
            Long cnLong;
            try {
                cnLong = Long.parseLong(cn);
            } catch (NumberFormatException e) {
                throw new RuntimeException(e);
            }
            String query = "(&(objectClass=*)(cn=" + cn + "))";
            SearchControls ctrls = new SearchControls();
            ctrls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            final NamingEnumeration<SearchResult> results = ldapContext.search(rootName, query, ctrls);
            if (results.hasMore()) {
                SearchResult r = results.nextElement();
                Attributes attrs = r.getAttributes();
                NamingEnumeration<? extends Attribute> namingEnum = attrs.getAll();
                T returnValue = aClass.getDeclaredConstructor().newInstance();
                while (namingEnum.hasMore()) {
                    Attribute attr = namingEnum.nextElement();
                    String id = attr.getID();
                    NamingEnumeration<?> newVal = attr.getAll();
                    changeValueInObject(returnValue, id, newVal);
                }
                return returnValue;
            }
            return null;
        } finally {
            ldapContext.close();
        }
    }

Let me know, what can we do to detect this kind of vulnerabilities in future.

which versions are you using - SonarQube Enterprise EditionVersion 9.5 (build 56709)
what are you trying to achieve - detecing vulnerability
what have you tried so far to achieve this - we checked that the plugin was enabled in profile scan

have a nice day!

Hendrik_Buchwald · November 11, 2022, 4:37pm

Hi Andrzej and welcome to the community!

Our taint analyzer only raises an issue if it detects user input (i.e. something that comes from a HTTP request and is controlled by the client) that ends up in the sensitive sink. Could you tell me if you have any user input that ends up in lookupByCn and can you include this code? Thanks!

Andrzej · November 14, 2022, 8:30am

Hello Hendrik,

User input is used to build query. In fact, we dedected this vulnerability on DAST scans.
Can we share source code on other channel? Due to the increased risk of possible attacks, we would prefer not to show the whole source code publicly.

Hendrik_Buchwald · November 14, 2022, 12:10pm

Hello Andrzej,

Yea, sure. I will start a private conversation.