nyx/tests/fixtures/ldap_injection/java/UnsafeLdapSearch.java

// Unsafe: attacker-controlled username concatenated into an LDAP filter passed
// to DirContext.search.  The receiver `ctx` carries TypeKind::LdapClient via
// the declared `DirContext` type so type-qualified resolution rewrites the
// callee to `LdapClient.search` and the LDAP_INJECTION sink fires.
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.servlet.http.HttpServletRequest;

public class UnsafeLdapSearch {
    private DirContext ctx;

    public Object lookup(HttpServletRequest req) throws Exception {
        String user = req.getParameter("user");
        String filter = "(uid=" + user + ")";
        return ctx.search("ou=people,dc=example,dc=com", filter, new SearchControls());
    }
}
new capacity bits (#67) 2026-05-07 01:29:31 -04:00			`// Unsafe: attacker-controlled username concatenated into an LDAP filter passed`
			// to DirContext.search. The receiver `ctx` carries TypeKind::LdapClient via
			// the declared `DirContext` type so type-qualified resolution rewrites the
			// callee to `LdapClient.search` and the LDAP_INJECTION sink fires.
			`import javax.naming.directory.DirContext;`
			`import javax.naming.directory.SearchControls;`
			`import javax.servlet.http.HttpServletRequest;`

			`public class UnsafeLdapSearch {`
			`private DirContext ctx;`

			`public Object lookup(HttpServletRequest req) throws Exception {`
			`String user = req.getParameter("user");`
			`String filter = "(uid=" + user + ")";`
			`return ctx.search("ou=people,dc=example,dc=com", filter, new SearchControls());`
			`}`
			`}`