Skip to content

Latest commit

 

History

History
216 lines (153 loc) · 6.69 KB

README.md

File metadata and controls

216 lines (153 loc) · 6.69 KB

Anti-LDAP Injection

nuget package ci build status cd release status

A .NET library that provides protections against LDAP Injection.

Most of the of the code was extracted from Microsoft's AntiXss library LDAP Encoder, which is no longer maintained.

Installation

The latest AntiLdapInjection package is available for installation on NuGet.

Using dotnet CLI

dotnet add package AntiLdapInjection

Using NuGet Package Manager

Install-Package AntiLdapInjection

See NuGet page for additional installation options.

Usage

FilterEncode

FilterEncode encodes input according to RFC 4515, where unsafe values are converted to \XX (XX is the representation of the unsafe character).

LdapEncoder.FilterEncode(string filterToEncode)

FilterEncode encoding chart

Character Encoded
( \28
) \29
\ \5c
* \2a
/ \2f
NUL \0

FilterEncode examples

Opening and closing parenthesis
string filter = "Parens R Us (for all your parenthetical needs)";
string encoded = LdapEncoder.FilterEncode(filter);

Console.WriteLine(encoded); // "Parens R Us \28for all your parenthetical needs\29"
Asterisk in search filter
string filter = "*";
string encoded = LdapEncoder.FilterEncode(filter);

Console.WriteLine(encoded); // "\2A"
Backslash in search filter
string filter = @"C:\MyFile";
string encoded = LdapEncoder.FilterEncode(filter);

Console.WriteLine(encoded); // "C:\5CMyFile"
Accents in search filter
string filter = "Lučić";
string encoded = LdapEncoder.FilterEncode(filter);

Console.WriteLine(encoded); // "Lu\C4\8Di\C4\87"

DistinguishedNameEncode

DistinguishedNameEncode encodes input according to RFC 2253, where unsafe characters are converted to #XX where XX is the representation of the unsafe character and the comma, plus, quote, slash, less than and great than signs are escaped using slash notation (\X). In addition to this, a space or octothorpe (#) at the beginning of the input string is escaped (\), as is a space at the end of a string.

LdapEncoder.DistinguishedNameEncode(string distinguishedNameToEncode)

You have the option to turn off initial or final character escaping rules. For example, if you are concatenating a escaped distinguished name fragment into the midst of a complete distinguished name.

LdapEncoder.DistinguishedNameEncode(
    string distinguishedNameToEncode,
    bool useInitialCharacterRules,
    bool useFinalCharacterRule
)

DistinguishedNameEncode encoding chart

Character Encoded
& \&
! \!
| \|
= \=
< \<
> \>
, \,
+ \+
- \-
" \"
' \'
; \;

DistinguishedNameEncode examples

Distinguished name slash notation
string dn = @", + \ "" \ < >";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);

Console.WriteLine(encoded); // "\, \+ \" \\ \< \>"
Leading space in distinguished name
string dn = " Hello";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);

Console.WriteLine(encoded); // "\ Hello"
Trailing space in distinguished name
string dn = "Hello ";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);

Console.WriteLine(encoded); // "Hello\ "
Octothorpe character in distinguished name
string dn = "#Hello";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);

Console.WriteLine(encoded); // "\#Hello"
Accents in distinguished name
string dn = "Lučić";
string encoded = LdapEncoder.DistinguishedNameEncode(dn);

Console.WriteLine(encoded); // "Lu#C4#8Di#C4#87"

LDAP injection resources

Similar libraries

Similar libraries providing protections against LDAP injection, not necessarily in .NET.

Node.js

ldap-escape

ldap-escape is an npm package that provides template literal tag functions for LDAP filters and distinguished names to prevent LDAP injection attacks.

Other noteworthy .NET LDAP-related libraries

  • LdapForNet: Cross platform port of OpenLdap Client library and Windows LDAP to .NET Core
  • Linq2Ldap: Wrapper around System.DirectoryServices using LINQ Expressions as LDAP filters