Preventing LDAP Injection in Java

Revision as of 14:11, 29 April 2007 by Thierry.deleeuw (Talk | contribs)

Jump to: navigation, search

This article is being discussed.

The best way to prevent LDAP injection is to use a positive validation scheme for ensuring that the data going into your queries doesn't contain any attacks. You can read more in the OWASP Guide about input validation.

However, in some cases, it is necessary to include special characters in input that is passed into an LDAP query. In this case, using escaping can prevent the LDAP interpreter from thinking those special characters are actually LDAP query. Rather, the encoding lets the interpreter treat those special characters as data.

Here are a few methods for escaping certain meta-characters in LDAP queries. Both the distinguished name (DN) and the search filter have their own sets of meta-characters. In the case of Java, it is also necessary to escape any JNDI meta-characters, since java uses JNDI to perform LDAP queries.

The examples below present Java methods that could be used to perform this escaping:

Note: This is untested code --Stephendv 05:08, 10 July 2006 (EDT)

 public String escapeDN (String name) {
       //From RFC 2253 and the / character for JNDI
       final char[] META_CHARS = {'+', '"', '<', '>', ';', '/'};
       String escapedStr = new String(name);
       //Backslash is both a Java and an LDAP escape character, so escape it first
       escapedStr = escapedStr.replaceAll("\\\\","\\\\");
       //Positional characters - see RFC 2253
       escapedStr = escapedStr.replaceAll("^#","\\\\#");
       escapedStr = escapedStr.replaceAll("^ | $","\\\\ ");
       for (int i=0;i < META_CHARS.length;i++) {
           escapedStr = escapedStr.replaceAll("\\"+META_CHARS[i],"\\\\" + META_CHARS[i]);
       return escapedStr;

Note, that the backslash character is a Java String literal and a regular expression escape character.

  public String escapeSearchFilter (String filter) {
       //From RFC 2254
       String escapedStr = new String(filter);
       escapedStr = escapedStr.replaceAll("\\\\","\\\\5c");
       escapedStr = escapedStr.replaceAll("\\*","\\\\2a");
       escapedStr = escapedStr.replaceAll("\\(","\\\\28");
       escapedStr = escapedStr.replaceAll("\\)","\\\\29");
       escapedStr = escapedStr.replaceAll("\\"+Character.toString('\u0000'), "\\\\00");
       return escapedStr;

Optimized version of the previous code using precompiled patterns (speed increase is 20% on my PC).--Thierry.deleeuw 16:11, 29 April 2007 (EDT)

   private static final Pattern BACKSLASH_PATTERN = Pattern.compile("\\\\");
   private static final Pattern STAR_PATTERN = Pattern.compile("\\*");
   private static final Pattern OPEN_PARENTHESIS_PATTERN = Pattern.compile("\\(");
   private static final Pattern CLOSE_PARENTHESIS_PATTERN = Pattern.compile("\\)");
   private static final Pattern NULL_CHARACTER_PATTERN = Pattern.compile("\\" + Character.toString('\u0000'));
   public static final String escapeLDAPSearchFilter(String filter) {
       //From RFC 2254
       Matcher match = BACKSLASH_PATTERN.matcher(filter);
       String result = match.replaceAll("\\\\5c");
       match = STAR_PATTERN.matcher(result);
       result = match.replaceAll("\\\\2a");
       match = OPEN_PARENTHESIS_PATTERN.matcher(result);
       result = match.replaceAll("\\\\28");
       match = CLOSE_PARENTHESIS_PATTERN.matcher(result);
       result = match.replaceAll("\\\\29");
       match = NULL_CHARACTER_PATTERN.matcher(result);
       result = match.replaceAll("\\\\00");
       return result;