False positive Spring LDAP from findbugs-sec-plugin

231 Views Asked by At

It looks like it does not take into account that Filter.toString/encode can actually encode LDAP filter correctly. So if I have a flags something like

Filter filter = blahblah;
ldapTemplate.search("", filter.toString());

it would flag that this code is vulnerable to LDAP injection where it should not.

How do I make findsec-bugs-plugin not to flag this kind of usage as an issue?

1

There are 1 best solutions below

0
On

It all depends on the implementation of the Filter class. The class is not known yet by Find-Security-Bugs. If it is properly escaping potential input, we could easily mark Filter.toString() as safe. Is it the class from UnboundID.

Please open a ticket on the issue tracker on Find-Security-Bugs.