no-ldap-injection

Keywords: LDAP injection, CWE-90, directory service, authentication bypass, security, Active Directory

Detects LDAP injection vulnerabilities. This rule is part of eslint-plugin-secure-coding.

💼 This rule is set to error in the recommended config.

Quick Summary

Vulnerability and Risk

Vulnerability: LDAP Injection allows attackers to modify LDAP statements by supplying malicious input that is not properly sanitized or escaped.

Risk: Attackers can alter LDAP queries to bypass authentication (e.g., logging in as any user), leak sensitive directory information (like emails, phone numbers, or passwords), or in some cases, modify user attributes.

Rule Details

LDAP injection occurs when user input is improperly inserted into LDAP queries, allowing attackers to:

• Bypass authentication and authorization
• Extract sensitive directory information (users, groups, passwords)
• Perform unauthorized LDAP operations
• Enumerate users through blind injection techniques

Why This Matters

Examples

❌ Incorrect

// String interpolation in LDAP filter
const filter = `(uid=${username})`;
ldapClient.search('ou=users,dc=example,dc=com', { filter });

// String concatenation
const searchFilter = '(cn=' + userInput + ')';

// Template literal with untrusted input
const ldapFilter = `(&(objectClass=user)(mail=${email}))`;

✅ Correct

// Escape LDAP filter values
import { escape } from 'ldap-escape';
const filter = `(uid=${escape.filterValue(username)})`;

// Use ldapjs with proper escaping
const filter = new ldap.filters.EqualityFilter({
  attribute: 'uid',
  value: username, // ldapjs handles escaping
});

// Validate input before LDAP query
if (isValidUsername(username)) {
  const escapedUser = ldap.escape.filterValue(username);
  const filter = `(uid=${escapedUser})`;
}

Configuration

{
  rules: {
    'secure-coding/no-ldap-injection': ['error', {
      ldapFunctions: ['search', 'bind', 'modify', 'add', 'delete'],
      ldapEscapeFunctions: ['escape.filterValue', 'escape.dnValue'],
      ldapValidationFunctions: ['validateLdapInput', 'sanitizeLdapFilter']
    }]
  }
}

Options

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

🔒 CWE-90 OWASP:A05 CVSS:9.8 | LDAP Injection detected | CRITICAL
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A05_2021/

Message Components

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Query from Variable

Why: Query strings from variables not traced.

// ❌ NOT DETECTED - Query from variable
const query = `SELECT * FROM users WHERE id = ${userId}`;
db.execute(query);

Mitigation: Always use parameterized queries.

Custom Query Builders

Why: Custom ORM/query builders not recognized.

// ❌ NOT DETECTED - Custom builder
customQuery.where(userInput).execute();

Mitigation: Review all query builder patterns.

Template Engines

Why: Template-based queries not analyzed.

// ❌ NOT DETECTED - Template
executeTemplate('query.sql', { userId });

Mitigation: Validate all template variables.

Further Reading

• OWASP LDAP Injection - Attack documentation
• CWE-90 - Official CWE entry
• ldapjs Security - Safe LDAP filter construction

Related Rules

• no-sql-injection - SQL injection prevention
• no-xpath-injection - XPath injection prevention