You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2022/12/14 14:14:58 UTC
[camel] branch camel-3.14.x updated: camel-ldap - Add docs about LDAP injection
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch camel-3.14.x
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/camel-3.14.x by this push:
new 56aabd4e8fa camel-ldap - Add docs about LDAP injection
56aabd4e8fa is described below
commit 56aabd4e8fa0a2f44c65f0a66474a93d4080c489
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Wed Dec 14 15:14:12 2022 +0100
camel-ldap - Add docs about LDAP injection
---
.../camel-ldap/src/main/docs/ldap-component.adoc | 45 +++++++++++-----------
1 file changed, 23 insertions(+), 22 deletions(-)
diff --git a/components/camel-ldap/src/main/docs/ldap-component.adoc b/components/camel-ldap/src/main/docs/ldap-component.adoc
index 118fa0b487b..a0be923917c 100644
--- a/components/camel-ldap/src/main/docs/ldap-component.adoc
+++ b/components/camel-ldap/src/main/docs/ldap-component.adoc
@@ -14,9 +14,9 @@
*{component-header}*
The LDAP component allows you to perform searches in LDAP servers
-using filters as the message payload. +
- This component uses standard JNDI (`javax.naming` package) to access
-the server.
+using filters as the message payload.
+
+This component uses standard JNDI (`javax.naming` package) to access the server.
Maven users will need to add the following dependency to their `pom.xml`
for this component:
@@ -59,15 +59,14 @@ include::partial$component-endpoint-options.adoc[]
== Result
-The result is returned in the Out body as a
-`ArrayList<javax.naming.directory.SearchResult>` object.
+The result is returned to Out body as a `List<javax.naming.directory.SearchResult>` object.
== DirContext
The URI, `ldap:ldapserver`, references a Spring bean with the ID,
`ldapserver`. The `ldapserver` bean may be defined as follows:
-[source,java]
+[source,xml]
-----------------------------------------------------------------------------------------
<bean id="ldapserver" class="javax.naming.directory.InitialDirContext" scope="prototype">
<constructor-arg>
@@ -93,6 +92,16 @@ or that the context supports concurrency. In the Spring framework,
up.
====
+== Security concerns related to LDAP injection
+
+IMPORTANT: The camel-ldap component uses the message body as filter the search results.
+Therefore, the message body should be protected from LDAP injection. To assist with this,
+you can use `org.apache.camel.component.ldap.LdapHelper` utility class that has method(s)
+to escape string values to be LDAP injection safe.
+
+See the following link
+for information about https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html[LDAP Injection].
+
== Samples
Following on from the Spring configuration above, the code sample below
@@ -101,26 +110,22 @@ Name is then extracted from the response.
[source,java]
----------------------------------------------------------
-ProducerTemplate<Exchange> template = exchange
- .getContext().createProducerTemplate();
+ProducerTemplate template = exchange.getContext().createProducerTemplate();
-Collection<?> results = (Collection<?>) (template
- .sendBody(
+Collection results = template.sendBody(
"ldap:ldapserver?base=ou=mygroup,ou=groups,ou=system",
- "(member=uid=huntc,ou=users,ou=system)"));
+ "(member=uid=huntc,ou=users,ou=system)", Collection.class);
if (results.size() > 0) {
// Extract what we need from the device's profile
- Iterator<?> resultIter = results.iterator();
- SearchResult searchResult = (SearchResult) resultIter
- .next();
- Attributes attributes = searchResult
- .getAttributes();
+ Iterator> resultIter = results.iterator();
+ SearchResult searchResult = (SearchResult) resultIter.next();
+ Attributes attributes = searchResult.getAttributes();
Attribute deviceCNAttr = attributes.get("cn");
String deviceCN = (String) deviceCNAttr.get();
-
- ...
+ // ...
+}
----------------------------------------------------------
If no specific filter is required - for example, you just need to look
@@ -191,7 +196,6 @@ the InitialDirContext bean - see below sample.
xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
http://camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd">
-
<sslContextParameters xmlns="http://camel.apache.org/schema/blueprint"
id="sslContextParameters">
<keyManagers
@@ -268,8 +272,6 @@ public class CustomSocketFactory extends SSLSocketFactory {
/**
* Getter for the SocketFactory
- *
- * @return
*/
public static SocketFactory getDefault() {
return new CustomSocketFactory();
@@ -313,5 +315,4 @@ public class CustomSocketFactory extends SSLSocketFactory {
-----------------------------------------------------------------------------------------------------
-
include::spring-boot:partial$starter.adoc[]