• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 57
  • Last Modified:

Is there a way to better my LDAP filter security

Here is what is happening. I'm passing a value into a directorySearcher filter and it works great, but HP Fortify is complaining that the input is from an untrusted source.

It recommended that I validate it with a RegEx expression, but HP fortify is still not liking the input.  Is there a such thing as a parameterized LDAP value that I can pass, like I do with Oracle queries?

Here is the snippet...


string whitelist = "[_a-zA-Z0-9]{1,30}$";
                Regex pattern = new Regex(whitelist);
                  
                        
                        if (pattern.IsMatch(value))
                {
                              var directorySearcher = new DirectorySearcher();
                    directorySearcher.PropertiesToLoad.Add("orclnetdescstring");
                    directorySearcher.SearchRoot = directoryEntry;
                    directorySearcher.SearchScope = SearchScope.Subtree;                    
                    directorySearcher.Filter = "(&(objectclass=orclNetService)(cn=" + value + "))";
                    searchResult = directorySearcher.FindOne();
                }
0
silentthread2k
Asked:
silentthread2k
1 Solution
 
LearnctxEngineerCommented:
Well, your regex is not the best as you're only matching the end of the string (unless that was your goal).

string whitelist = "[_a-zA-Z0-9]{1,30}$";

Open in new window


This will match a string that ends with between 1 and 30 characters in the class [_a-zA-Z0-9]. This will also match crazy things like.

@#?@#!@#.a

You want to specify a start string character.

string whitelist = "^[_a-zA-Z0-9]{1,30}$";

Open in new window


I don't otherwise know anything about the Fortify product.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now