silentthread2k
asked on
Is there a way to better my LDAP filter security
Here is what is happening. I'm passing a value into a directorySearcher filter and it works great, but HP Fortify is complaining that the input is from an untrusted source.
It recommended that I validate it with a RegEx expression, but HP fortify is still not liking the input. Is there a such thing as a parameterized LDAP value that I can pass, like I do with Oracle queries?
Here is the snippet...
string whitelist = "[_a-zA-Z0-9]{1,30}$";
Regex pattern = new Regex(whitelist);
if (pattern.IsMatch(value))
{
var directorySearcher = new DirectorySearcher();
directorySearcher.Properti esToLoad.A dd("orclne tdescstrin g");
directorySearcher.SearchRo ot = directoryEntry;
directorySearcher.SearchSc ope = SearchScope.Subtree;
directorySearcher.Filter = "(&(objectclass=orclNetSer vice)(cn=" + value + "))";
searchResult = directorySearcher.FindOne( );
}
It recommended that I validate it with a RegEx expression, but HP fortify is still not liking the input. Is there a such thing as a parameterized LDAP value that I can pass, like I do with Oracle queries?
Here is the snippet...
string whitelist = "[_a-zA-Z0-9]{1,30}$";
Regex pattern = new Regex(whitelist);
if (pattern.IsMatch(value))
{
var directorySearcher = new DirectorySearcher();
directorySearcher.Properti
directorySearcher.SearchRo
directorySearcher.SearchSc
directorySearcher.Filter = "(&(objectclass=orclNetSer
searchResult = directorySearcher.FindOne(
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.