package LDAP_Injection;


import javax.naming.*;
import javax.naming.directory.*;
import javax.servlet.http.*;
import java.util.Hashtable;
import java.io.IOException;
import java.util.logging.Logger;

public class LDAP_Injection
{
	static final Logger log = Logger.getLogger("logger");
	
    /* uses badsource and badsink */
    public void bad(HttpServletRequest request, HttpServletResponse response) throws NamingException, IOException
    {
        String data = System.getProperty("data"); /* init data */

        Hashtable<String, String> env = new Hashtable<String, String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://localhost:389");
        DirContext ctx = new InitialDirContext(env);

        String search = "(cn=" + data + ")"; /* POTENTIAL FLAW: unsanitized data from untrusted source */

        NamingEnumeration<SearchResult> answer = ctx.search("", search, null);  // bad LDAP注入
        if (answer.hasMore())
        {
            log.info("ok");
        }

    }


    public void good(HttpServletRequest request, HttpServletResponse response) throws NamingException, IOException
    {
        String data = "foo";

        Hashtable<String, String> env = new Hashtable<String, String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://localhost:389");
        DirContext ctx = new InitialDirContext(env);

        String search = "(cn=" + data + ")"; /* POTENTIAL FLAW: unsanitized data from untrusted source */

        NamingEnumeration<SearchResult> answer = ctx.search("", search, null);  // good LDAP注入
        if (answer.hasMore())
        {
            log.info("ok");
        }

    }
}