Reputation: 1989
Is concatenating user-controlled input to a JNDI name unsafe?
Let's say we have some code that wants to look up DNS information about a domain. The domain is controlled by a (possibly malicious) user:
String payload = "gmail.com"; // This string is user-controlled
var env = new HashTable<String, String>();
env.put("java.naming.factory.initial", "com.sun.jndi.dns.DnsContextFactory");
// some more env.put probably
var dirContext = new InitialDirContext(env);
var attributes = dirContext.getAttributes("dns:/" + payload);
// Do something with attributes
Is this unsafe? My gut tells me that JDNI is far too powerful to enter user-controlled data without any escaping (SQL injections and Log4Shell come to mind).
I couldn't find any information on possible vulnerabilities; looking through the code for the DnsContextFactory and DnsContext also makes it look like the user-controlled part is sent directly to the DNS resolver. Since the user technically can control a server that will respond to the DNS query (by hosting the nameserver), my initial thought was that someone could smuggle out information, like '$superSecretEnvVar.evil-domain.com'. But I couldn't find any information about additional processing of the string.
Is there anything unsafe about "trusting" the user input using JNDI?
Upvotes: 2
Views: 41
Answers (0)
Related Questions
- How to get the user input in Java?
- querying against a particular dns server in java
- Correct JNDI @Resource(name)
- Converted JNDI name [java:comp/env/cloudenv] not found
- LDAP user password authentication using JNDI
- Tomcat JNDI resource name aliases
- Java JNDI Name java:/
- JNDI, name service and local files system
- difference bewteen <jndi-name> and <local-jndi-name> in Jboss.xml?
- Database Table JNDI Name problem