DEVHIDE
Login Or Sign up

False positive Spring LDAP from findbugs-sec-plugin

237 Views Asked by At

It looks like it does not take into account that Filter.toString/encode can actually encode LDAP filter correctly. So if I have a flags something like

Filter filter = blahblah;
ldapTemplate.search("", filter.toString());

it would flag that this code is vulnerable to LDAP injection where it should not.

How do I make findsec-bugs-plugin not to flag this kind of usage as an issue?

java spotbugs find-sec-bugs
Original Q&A
1

There are 1 best solutions below

0
On

It all depends on the implementation of the Filter class. The class is not known yet by Find-Security-Bugs. If it is properly escaping potential input, we could easily mark Filter.toString() as safe. Is it the class from UnboundID.

Please open a ticket on the issue tracker on Find-Security-Bugs.

Related Questions in JAVA

Related Questions in SPOTBUGS

Related Questions in FIND-SEC-BUGS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.