It looks like it does not take into account that Filter.toString/encode
can actually encode LDAP filter correctly. So if I have a flags something like
Filter filter = blahblah;
ldapTemplate.search("", filter.toString());
it would flag that this code is vulnerable to LDAP injection where it should not.
How do I make findsec-bugs-plugin not to flag this kind of usage as an issue?
It all depends on the implementation of the Filter class. The class is not known yet by Find-Security-Bugs. If it is properly escaping potential input, we could easily mark
Filter.toString()
as safe. Is it the class from UnboundID.Please open a ticket on the issue tracker on Find-Security-Bugs.