False positive Spring LDAP from findbugs-sec-plugin

Question

It looks like it does not take into account that Filter.toString/encode can actually encode LDAP filter correctly. So if I have a flags something like

Filter filter = blahblah;
ldapTemplate.search("", filter.toString());

it would flag that this code is vulnerable to LDAP injection where it should not.

How do I make findsec-bugs-plugin not to flag this kind of usage as an issue?

Please share the Spotbugs report. – Boris Jun 10 '21 at 07:08 — Boris, Jun 10 '21 at 07:08

score 1 · Answer 1 · answered Oct 28 '20 at 16:24

It all depends on the implementation of the Filter class. The class is not known yet by Find-Security-Bugs. If it is properly escaping potential input, we could easily mark Filter.toString() as safe. Is it the class from UnboundID.

Please open a ticket on the issue tracker on Find-Security-Bugs.

False positive Spring LDAP from findbugs-sec-plugin

1 Answers1