Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

Java static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your JAVA code

Tags

Impact

Clean code attribute

Processing persistent unique identifiers is security-sensitive
Security Hotspot
Exposing native code through JavaScript interfaces is security-sensitive
Security Hotspot
Hard-coded secrets are security-sensitive
Security Hotspot
Enabling file access for WebViews is security-sensitive
Security Hotspot
Enabling JavaScript support for WebViews is security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Using unencrypted files in mobile applications is security-sensitive
Security Hotspot
Using biometric authentication without a cryptographic solution is security-sensitive
Security Hotspot
Using unencrypted databases in mobile applications is security-sensitive
Security Hotspot
Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive
Security Hotspot
Using long-term access keys is security-sensitive
Security Hotspot
Using slow regular expressions is security-sensitive
Security Hotspot
Allowing user enumeration is security-sensitive
Security Hotspot
Allowing requests with excessive content length is security-sensitive
Security Hotspot
Disclosing fingerprints from web application technologies is security-sensitive
Security Hotspot
Using publicly writable directories is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Accessing Android external storage is security-sensitive
Security Hotspot
Receiving intents is security-sensitive
Security Hotspot
Broadcasting intents is security-sensitive
Security Hotspot
Disabling auto-escaping in template engines is security-sensitive
Security Hotspot
Having a permissive Cross-Origin Resource Sharing policy is security-sensitive
Security Hotspot
Expanding archive files without controlling resource consumption is security-sensitive
Security Hotspot
Configuring loggers is security-sensitive
Security Hotspot
Using weak hashing algorithms is security-sensitive
Security Hotspot
Using unsafe Jackson deserialization configuration is security-sensitive
Security Hotspot
Setting JavaBean properties is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Disabling CSRF protections is security-sensitive
Security Hotspot
Allowing deserialization of LDAP objects is security-sensitive
Security Hotspot
Searching OS commands in PATH is security-sensitive
Security Hotspot
Allowing both safe and unsafe HTTP methods is security-sensitive
Security Hotspot
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Using non-standard cryptographic algorithms is security-sensitive
Security Hotspot
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
Formatting SQL queries is security-sensitive
Security Hotspot
Hard-coded passwords are security-sensitive
Security Hotspot
Using hardcoded IP addresses is security-sensitive
Security Hotspot

Allowing deserialization of LDAP objects is security-sensitive

consistency - conventional

security

Security Hotspot

JNDI supports the deserialization of objects from LDAP directories, which can lead to remote code execution.

This rule raises an issue when an LDAP search query is executed with SearchControls configured to allow deserialization.

Ask Yourself Whether

The application connects to an untrusted LDAP directory.
User-controlled objects can be stored in the LDAP directory.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to disable deserialization of LDAP objects.

Sensitive Code Example

DirContext ctx = new InitialDirContext();
// ...
ctx.search(query, filter,
        new SearchControls(scope, countLimit, timeLimit, attributes,
            true, // Noncompliant; allows deserialization
            deref));

Compliant Solution

DirContext ctx = new InitialDirContext();
// ...
ctx.search(query, filter,
        new SearchControls(scope, countLimit, timeLimit, attributes,
            false, // Compliant
            deref));

See

OWASP - Top 10 2021 Category A8 - Software and Data Integrity Failures
CWE - CWE-502 - Deserialization of Untrusted Data
OWASP - Top 10 2017 Category A8 - Insecure Deserialization
BlackHat presentation
Derived from FindSecBugs rule LDAP_ENTRY_POISONING

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
9.1

Analyze code in your
on-premise CI

Developer Edition
Available Since
9.1

In-IDE

SaaS

Self-Hosted