Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added a function for LDAP input sanitization. #170

Open
wants to merge 1 commit into
base: version_3.1.6
Choose a base branch
from

Conversation

Heikkips
Copy link

@Heikkips Heikkips commented Dec 3, 2019

Added a function for sanitizing input strings before LDAP operations.
@link https://www.owasp.org/index.php/LDAP_injection

This can be used to sanitize the input of several oxAuth endpoints e.g.:

return StringHelper.sanitizeLdapInput(authorizationParameter.substring(prefix.length()));

AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(StringHelper.sanitizeLdapInput(accessToken));

@willow9886 willow9886 requested a review from yurem December 6, 2019 01:06
@mzico
Copy link

mzico commented Dec 17, 2019

@yurem ^

@nynymike
Copy link
Contributor

nynymike commented Sep 7, 2020

I'm not sure oxCore is the right place to do this. You may end up sanitizing all input, not just input from the end user. Personally, I would do this in the authn interception script. Futhermore, I think Weld has some built in protection for escaping user input.

@yurem
Copy link
Contributor

yurem commented Sep 7, 2020

Line from oxAuth builds filter like Filter.create(String.format("oxAuthTokenCode=%s", TokenHashUtil.getHashedToken(p_code))

According to UnboidID SDK docs it already has sanitizing support:
It is safer, since if the assertion value may be based on user input then it is not necessary to worry about sanitizing the data or the possibility of injection attacks.

Can you provide example of invalid input to allow us double check it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants