Is there some method to securely build a filter / Distinguished name?

[Compufreak345]

I am currently trying to protect against injection attacks, e.g. by users providing a username with special characters, like described here.

Before building my own validation logic, I'd like to ask: Is there some kind of utility available for building a secure Dn or Filter string? I always prefer using peer reviewed security logic instead of rolling my own.

I had a look into Utilclass/Dn and Utilclass/Rdn, but they seem to not check much - Rdn checks that there is only one Rdn when using new Rdn($"uid={username}") but this does not protect against something like an asterisk. The other parts just seem like quite straight forward parsing & ToString-Methods.

I'd appreciate any hints.

Thanks & best regards,
Christoph

P.S.: If there are no predefined helpers for this, my measures probably will be:

• Validate the user name based on a whitelist of allowed characters
• UTF8-encode every character for a filter query input string with the Microsoft.Security.Application.Encoder.LdapFilterEncode - method from Microsofts AntiXSS - Package.
• Use the validation from the Rdn-constructor to make sure no one can mess with the user path

Some of those might be redundant, but better be safe than sorry ;)

[dsbenghe]

No. There is nothing like this currently.

Happy to take PRs related with this.

[Compufreak345]

I'm thinking of moving the "LdapEncoder" from Microsofts AntiXSS-package to this library, as the package has reached end of life.

I think the license should be compatible and allow to do this, what do you think?

=============================================================================================================
Microsoft Web Protection Library (http://wpl.codeplex.com)
This work is licensed under the Microsoft Public License (Ms-PL)
Copyright (c) 2010 Microsoft Corporation

=============================================================================================================

Microsoft Public License (Ms-PL)

This license governs use of the accompanying software. If you use the software, you accept this license.
If you do not accept the license, do not use the software.

1. Definitions
   The terms "reproduce," "reproduction," "derivative works," and "distribution" have the same meaning
   here as under U.S. copyright law. A "contribution" is the original software, or any additions or
   changes to the software. A "contributor" is any person that distributes its contribution under this
   license. "Licensed patents" are a contributor's patent claims that read directly on its contribution.
2. Grant of Rights
   (A) Copyright Grant- Subject to the terms of this license, including the license conditions and
   limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free
   copyright license to reproduce its contribution, prepare derivative works of its contribution, and
   distribute its contribution or any derivative works that you create.
   (B) Patent Grant- Subject to the terms of this license, including the license conditions and
   limitations in section 3, each contributor grants you a non-exclusive, worldwide, royalty-free
   license under its licensed patents to make, have made, use, sell, offer for sale, import, and/or
   otherwise dispose of its contribution in the software or derivative works of the contribution in
   the software.
3. Conditions and Limitations
   (A) No Trademark License- This license does not grant you rights to use any contributors' name, logo,
   or trademarks.
   (B) If you bring a patent claim against any contributor over patents that you claim are infringed by
   the software, your patent license from such contributor to the software ends automatically.
   (C) If you distribute any portion of the software, you must retain all copyright, patent, trademark,
   and attribution notices that are present in the software.
   (D) If you distribute any portion of the software in source code form, you may do so only under this
   license by including a complete copy of this license with your distribution. If you distribute any
   portion of the software in compiled or object code form, you may only do so under a license that
   complies with this license.
   (E) The software is licensed "as-is." You bear the risk of using it. The contributors give no express
   warranties, guarantees, or conditions. You may have additional consumer rights under your local
   laws which this license cannot change. To the extent permitted under your local laws, the
   contributors exclude the implied warranties of merchantability, fitness for a particular purpose
   and non-infringement.

=============================================================================================================

This is how I use it:

        private string GetUidFilter([NotNull] string username)
        {
            var s = $"uid={username}";
            // New rdn validates the RDN only contains a single attribute, otherwise throws an AttributeException.
            var rdn = new Rdn(s);
            return $"({Encoder.LdapFilterEncode(rdn.ToString())})";
        }

// This method cannot use LdapFilterEncode as the Novell.Directory.Ldap-Library does not seem to support escaped DNs.
        private string GetRootedUidDn([NotNull] string username)
        {
            var s = $"uid={username}";
            // New rdn validates the RDN only contains a single attribute, otherwise throws an AttributeException.
            var rdn = new Rdn(s);
            var dn = new Dn(this.appSettings.Ldap.BaseSearchDn);
            dn.AddRdnToFront(rdn);
            return dn.ToString();
        }

Unfortunately I cannot pass an encoded Dn to the Bind-command - but I think this should not be an security issue as it does some encoding magic behind the scenes?