In the code below (red text) I'm getting an LDAP injection vulnerability error. I'm having trouble identifying the parameters needed to call the escape routine. The LDAP query string is located in the class EscapeLDAPQueryString. What are the parameters for calling the escape routine. (String escapedString = EscapeLDAPQueryString.escapeQuery();
What is the escapedString and the (string that needs to be escaped)?
magnifySearchLogger.trace("filter=" + StringEscapeUtils.replaceCRLF(filter));
final String modified_group = dnOfGroup;
magnifySearchLogger.trace("Group=" + dnOfGroup);
magnifySearchLogger.trace("modified_group=" + modified_group);
final NamingEnumeration <SearchResult> answer = this.ctx
.search(modified_group, filter, ctls);
//String results = " Not Found ";
final int count = countResults(answer);
return count;
EscapeLDAPQueryString Class Code
//String relativeDN = "cn=abc,dn=xyz,ou=abc+\"<>/d=ef";
//Split String
String[] stringData = queryString.split(",");
{
StringBuilder newLDAPString = new StringBuilder();
CharSequence charAdded = ",";
// loop thru each element of the array
for (int place = 0; place < stringData.length; place++) {
String keyValuePair = stringData[place];
int eq = keyValuePair.indexOf('=');
String distinguishedName = keyValuePair.substring(0,eq+1);
String distinguishedValue = keyValuePair.substring(eq+1, keyValuePair.length());
String escapedDistinguishedValue = StringEscapeUtils.escapeDN(distinguishedValue);
newLDAPString.append(distinguishedName)
.append(escapedDistinguishedValue);
if (place < stringData.length - 1)
newLDAPString.append(charAdded);
}
return newLDAPString.toString();
}
}
}