Escape parameter values in search filter.

The REST interface was vulnerable to injection attack. This has been fixed by escaping the special characters in parameter values before using them in the search filter. Ticket #96
author: Endi Sukma Dewata <edewata@redhat.com> 2012-03-14 12:51:23 -0500
committer: Endi Sukma Dewata <edewata@redhat.com> 2012-03-14 14:45:02 -0500
commit: 5c613fcb2323cb477ac6d4518a73fc4a810c2b3f (patch)
tree: 5e415ef33af90934c82c7d161982290d58de2331
parent: 2c960067012c43db1437f561a63fc515328344e2 (diff)
download: pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.tar.gz
pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.tar.xz
pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.zip
3 files changed, 33 insertions, 5 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java
index b5032fa86..a7876a6c6 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/key/KeysResourceService.java
@@ -30,6 +30,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.cms.servlet.base.CMSResourceService;
 import com.netscape.cms.servlet.key.model.KeyDAO;
 import com.netscape.cms.servlet.key.model.KeyDataInfos;
+import com.netscape.cmsutil.ldap.LDAPUtil;
 
 /**
  * @author alee
@@ -71,12 +72,12 @@ public class KeysResourceService extends CMSResourceService implements KeysResou
         }
         
         if (status != null) {
-            filter += "(status=" + status + ")";
+            filter += "(status=" + LDAPUtil.escape(status) + ")";
             matches ++;
         }
         
         if (clientID != null) {
-            filter += "(clientID=" + clientID + ")";
+            filter += "(clientID=" + LDAPUtil.escape(clientID) + ")";
             matches ++;
         }
         
diff --git a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java
index 9b11a96d6..11898ef7a 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/request/KeyRequestsResourceService.java
@@ -29,6 +29,7 @@ import com.netscape.certsrv.request.RequestId;
 import com.netscape.cms.servlet.base.CMSResourceService;
 import com.netscape.cms.servlet.request.model.KeyRequestDAO;
 import com.netscape.cms.servlet.request.model.KeyRequestInfos;
+import com.netscape.cmsutil.ldap.LDAPUtil;
 
 /**
  * @author alee
@@ -77,17 +78,17 @@ public class KeyRequestsResourceService extends CMSResourceService implements Ke
         }
         
         if (requestState != null) {
-            filter += "(requeststate=" + requestState + ")";
+            filter += "(requeststate=" + LDAPUtil.escape(requestState) + ")";
             matches ++;
         }
         
         if (requestType != null) {
-            filter += "(requesttype=" + requestType + ")";
+            filter += "(requesttype=" + LDAPUtil.escape(requestType) + ")";
             matches ++;
         }
         
         if (clientID != null) {
-            filter += "(clientID=" + clientID + ")";
+            filter += "(clientID=" + LDAPUtil.escape(clientID) + ")";
             matches ++;
         }
         
diff --git a/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java b/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java
index a78f8ac55..e821db67a 100644
--- a/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java
+++ b/pki/base/util/src/com/netscape/cmsutil/ldap/LDAPUtil.java
@@ -33,6 +33,32 @@ import netscape.ldap.util.LDIFModifyContent;
 import netscape.ldap.util.LDIFRecord;
 
 public class LDAPUtil {
+
+    // special chars are *, (, ), \, null
+    public static String SPECIAL_CHARS = "*()\\\000";
+
+    /**
+     * This method escapes special characters for LDAP filter (RFC 4515).
+     * Each special character will be replaced by a backslash followed by
+     * 2-digit hex of the ASCII code.
+     *
+     * @param string string to escape
+     * @return escaped string
+     */
+    public static String escape(String string) {
+        StringBuilder sb = new StringBuilder();
+        for (char c : string.toCharArray()) {
+            if (SPECIAL_CHARS.indexOf(c) >= 0) {
+                sb.append('\\');
+                if (c < 0x10) sb.append('0'); // make sure it's 2-digit
+                sb.append(Integer.toHexString(c));
+            } else {
+                sb.append(c);
+            }
+        }
+        return sb.toString();
+    }
+
     public static void importLDIF(LDAPConnection conn, String filename, ArrayList<String> errors) throws IOException {
         LDIF ldif = new LDIF(filename);
         while (true) {
author	Endi Sukma Dewata <edewata@redhat.com>	2012-03-14 12:51:23 -0500
committer	Endi Sukma Dewata <edewata@redhat.com>	2012-03-14 14:45:02 -0500
commit	5c613fcb2323cb477ac6d4518a73fc4a810c2b3f (patch)
tree	5e415ef33af90934c82c7d161982290d58de2331
parent	2c960067012c43db1437f561a63fc515328344e2 (diff)
download	pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.tar.gz pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.tar.xz pki-5c613fcb2323cb477ac6d4518a73fc4a810c2b3f.zip