LDAP Injection
Need
To prevent unauthorized data access and manipulation through LDAP Injection attacks
Context
- Usage of Elixir (v1.11+) with Erlang/OTP (v23+)
- Usage of eldap library for LDAP operations in Erlang
Description
Non compliant code
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def index(conn, %{"username" => username}) do
:eldap.open(["ldap.example.com"])
search_filter = {:substrings, 'uid', [{:initial, username}]}
{:ok, result} = :eldap.search([base: 'ou=Users,dc=example,dc=com', filter: search_filter])
json(conn, result)
end
end
In this insecure code, the Elixir application accepts a username from user input and uses it directly in an LDAP query. This can be exploited for an LDAP Injection attack, leading to unauthorized data access or manipulation.
Steps
- Don't use user input directly in LDAP queries.
- Sanitize user input before using it in a query.
- Use parameterized queries or prepared statements if available.
Compliant code
defmodule MyAppWeb.UserController do
use MyAppWeb, :controller
def index(conn, %{"username" => username}) do
:eldap.open(["ldap.example.com"])
username = String.replace(username, "(", "") |> String.replace(")", "")
search_filter = {:substrings, 'uid', [{:initial, username}]}
{:ok, result} = :eldap.search([base: 'ou=Users,dc=example,dc=com', filter: search_filter])
json(conn, result)
end
end
In this secure code, the application now sanitizes the user input by replacing potential LDAP Injection attack characters '('. The sanitized input is then used in the LDAP query.