You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2022/12/14 14:14:58 UTC

[camel] branch camel-3.14.x updated: camel-ldap - Add docs about LDAP injection

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch camel-3.14.x
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/camel-3.14.x by this push:
     new 56aabd4e8fa camel-ldap - Add docs about LDAP injection
56aabd4e8fa is described below

commit 56aabd4e8fa0a2f44c65f0a66474a93d4080c489
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Wed Dec 14 15:14:12 2022 +0100

    camel-ldap - Add docs about LDAP injection
---
 .../camel-ldap/src/main/docs/ldap-component.adoc   | 45 +++++++++++-----------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/components/camel-ldap/src/main/docs/ldap-component.adoc b/components/camel-ldap/src/main/docs/ldap-component.adoc
index 118fa0b487b..a0be923917c 100644
--- a/components/camel-ldap/src/main/docs/ldap-component.adoc
+++ b/components/camel-ldap/src/main/docs/ldap-component.adoc
@@ -14,9 +14,9 @@
 *{component-header}*
 
 The LDAP component allows you to perform searches in LDAP servers
-using filters as the message payload. +
- This component uses standard JNDI (`javax.naming` package) to access
-the server.
+using filters as the message payload.
+
+This component uses standard JNDI (`javax.naming` package) to access the server.
 
 Maven users will need to add the following dependency to their `pom.xml`
 for this component:
@@ -59,15 +59,14 @@ include::partial$component-endpoint-options.adoc[]
 
 == Result
 
-The result is returned in the Out body as a
-`ArrayList<javax.naming.directory.SearchResult>` object.
+The result is returned to Out body as a `List<javax.naming.directory.SearchResult>` object.
 
 == DirContext
 
 The URI, `ldap:ldapserver`, references a Spring bean with the ID,
 `ldapserver`. The `ldapserver` bean may be defined as follows:
 
-[source,java]
+[source,xml]
 -----------------------------------------------------------------------------------------
 <bean id="ldapserver" class="javax.naming.directory.InitialDirContext" scope="prototype">
   <constructor-arg>
@@ -93,6 +92,16 @@ or that the context supports concurrency. In the Spring framework,
 up.
 ====
 
+== Security concerns related to LDAP injection
+
+IMPORTANT: The camel-ldap component uses the message body as filter the search results.
+Therefore, the message body should be protected from LDAP injection. To assist with this,
+you can use `org.apache.camel.component.ldap.LdapHelper` utility class that has method(s)
+to escape string values to be LDAP injection safe.
+
+See the following link
+for information about https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html[LDAP Injection].
+
 == Samples
 
 Following on from the Spring configuration above, the code sample below
@@ -101,26 +110,22 @@ Name is then extracted from the response.
 
 [source,java]
 ----------------------------------------------------------
-ProducerTemplate<Exchange> template = exchange
-  .getContext().createProducerTemplate();
+ProducerTemplate template = exchange.getContext().createProducerTemplate();
 
-Collection<?> results = (Collection<?>) (template
-  .sendBody(
+Collection results = template.sendBody(
     "ldap:ldapserver?base=ou=mygroup,ou=groups,ou=system",
-    "(member=uid=huntc,ou=users,ou=system)"));
+    "(member=uid=huntc,ou=users,ou=system)", Collection.class);
 
 if (results.size() > 0) {
   // Extract what we need from the device's profile
 
-  Iterator<?> resultIter = results.iterator();
-  SearchResult searchResult = (SearchResult) resultIter
-      .next();
-  Attributes attributes = searchResult
-      .getAttributes();
+  Iterator> resultIter = results.iterator();
+  SearchResult searchResult = (SearchResult) resultIter.next();
+  Attributes attributes = searchResult.getAttributes();
   Attribute deviceCNAttr = attributes.get("cn");
   String deviceCN = (String) deviceCNAttr.get();
-
-  ...
+  // ...
+}
 ----------------------------------------------------------
 
 If no specific filter is required - for example, you just need to look
@@ -191,7 +196,6 @@ the InitialDirContext bean - see below sample.
            xsi:schemaLocation="http://www.osgi.org/xmlns/blueprint/v1.0.0 http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
                  http://camel.apache.org/schema/blueprint http://camel.apache.org/schema/blueprint/camel-blueprint.xsd">
 
-
     <sslContextParameters xmlns="http://camel.apache.org/schema/blueprint"
                           id="sslContextParameters">
         <keyManagers
@@ -268,8 +272,6 @@ public class CustomSocketFactory extends SSLSocketFactory {
 
     /**
      * Getter for the SocketFactory
-     *
-     * @return
      */
     public static SocketFactory getDefault() {
         return new CustomSocketFactory();
@@ -313,5 +315,4 @@ public class CustomSocketFactory extends SSLSocketFactory {
 -----------------------------------------------------------------------------------------------------
 
 
-
 include::spring-boot:partial$starter.adoc[]