Whitelist input data for a lookup by name

Question 1

I'm whitelisting the input data to an LDAP/AD search on 'sn' (=surname). The purpose is to stop penetration attacks through the app and into the LDAP servers (i.e. no brackets, please).

// whitelist input data.
string partialName = Regex.Replace(partialName, "[^. a-zA-Z-']", string.Empty);

Do you think this is a useful subset? I don't want to allow anything bad through but it does need to be usable.

UPDATE

Instead of whitelisting I should be escaping characters (@200_success):

// escape LDAP filter string characters.
partialName = 
 partialName
 .Replace(@"\", @"5円c")
 .Replace(@"*", @"2円a")
 .Replace(@"(", @"28円")
 .Replace(@")", @"29円");

This works against my LDAP server. I can't pass an asterisk anyway as the interface is a REST url and that causes a Request.Path exception.

Question 2

You should be able to use asterisks as long as you encode them when issuing the request. See allowing asterisk in URL and HttpServerUtility.UrlEncode.

Question 3

Don't ever make assumptions of what to allow or disallow based on what you have seen in your experience. Always consult the specification, which is, in this case, RFC 4515 Sec 3. The spec will tell you which characters require escaping, and what the escaping mechanism is.

Question 4

I'm trying to whitelist so I'm only considering what to allow. The only thing the RFC is telling me is don't allow left and right parenthesis: filter = LPAREN filtercomp RPAREN

Question 5

@Boggin He's right, you should escape rather than whitelist. And for security's sake, make sure you test that you can create and fetch users with "weird" characters, including the escape sequence.

Question 6

No, you're interpreting the spec wrong. Read the last paragraph on page 3: asterisk, left paren, right paren, backslash, and NUL all must be escaped, and the escaping mechanism is backslash hexdigit hexdigit.

200_success 200_success 146k22 gold badges190 silver badges479 bronze badges · Accepted Answer · 2013-10-15 21:56:16Z

5

\$\begingroup\$

Don't ever make assumptions of what to allow or disallow based on what you have seen in your experience. Always consult the specification, which is, in this case, RFC 4515 Sec 3. The spec will tell you which characters require escaping, and what the escaping mechanism is.

Share

edited Oct 7, 2021 at 6:47

Community's user avatar

Community Bot

1

answered Oct 15, 2013 at 21:56

200_success's user avatar

200_success 200_success

146k22 gold badges190 silver badges479 bronze badges

\$\endgroup\$

3

\$\begingroup\$ I'm trying to whitelist so I'm only considering what to allow. The only thing the RFC is telling me is don't allow left and right parenthesis: filter = LPAREN filtercomp RPAREN \$\endgroup\$

Boggin
– Boggin

2013年10月16日 09:07:46 +00:00
Commented Oct 16, 2013 at 9:07
\$\begingroup\$ @Boggin He's right, you should escape rather than whitelist. And for security's sake, make sure you test that you can create and fetch users with "weird" characters, including the escape sequence. \$\endgroup\$

l0b0
– l0b0

2013年10月16日 15:34:25 +00:00
Commented Oct 16, 2013 at 15:34
\$\begingroup\$ No, you're interpreting the spec wrong. Read the last paragraph on page 3: asterisk, left paren, right paren, backslash, and NUL all must be escaped, and the escaping mechanism is backslash hexdigit hexdigit. \$\endgroup\$

200_success
– 200_success

2013年10月16日 19:24:33 +00:00
Commented Oct 16, 2013 at 19:24

Add a comment |

Stack Exchange Network

Whitelist input data for a lookup by name

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

Whitelist input data for a lookup by name

1 Answer 1

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related

Hot Network Questions