Add forward slash encoding to DefaultEncoder's encodeForLDAP and encodeForDN

noloader · noloader · commit 613bc49cf6f0 · 2022-06-28T14:01:30.000-04:00
According to [1] and [2], the forward slash ('/') character should be encoded for LDAP filters and distinguished names [1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax [2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java b/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java
@@ -305,13 +305,18 @@ public String encodeForLDAP(String input, boolean encodeWildcards) {
         }
         // TODO: replace with LDAP codec
         StringBuilder sb = new StringBuilder();
+        // According to "Special Characters" at [1], the encoder should escape '*', '(', ')', '\', '/', NUL. Also see [2].
+        // [1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
+        // [2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
         for (int i = 0; i < input.length(); i++) {
             char c = input.charAt(i);
-
             switch (c) {
                 case '\\':
                     sb.append("\\5c");
                     break;
+                case '/':
+                    sb.append("\\2f");
+                    break;
                 case '*': 
                     if (encodeWildcards) {
                         sb.append("\\2a"); 
@@ -349,12 +354,18 @@ public String encodeForDN(String input) {
         if ((input.length() > 0) && ((input.charAt(0) == ' ') || (input.charAt(0) == '#'))) {
             sb.append('\\'); // add the leading backslash if needed
         }
+        // According to [1] and [2], the encoder should escape forward slash ('/') in DNs.
+        // [1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
+        // [2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
         for (int i = 0; i < input.length(); i++) {
             char c = input.charAt(i);
             switch (c) {
             case '\\':
                 sb.append("\\\\");
                 break;
+            case '/':
+                sb.append("\\/");
+                break;
             case ',':
                 sb.append("\\,");
                 break;
