Need

Secure storage and transmission of LDAP service credentials

Context

• Usage of Dart for building cross-platform mobile, web, and desktop applications
• Usage of Shelf for managing data persistence and querying in Node.js applications

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

void main() {
  var server = shelf.IoServer();
  var ldap = LdapConnection(
    host: 'ldap.example.com',
    ssl: false,
    bindDN: 'cn=admin,dc=example,dc=com',
    password: 'adminPassword',
  );
  server.mount(ldap);
}
        
        

The above Dart code is vulnerable due to the storage of LDAP service credentials (username and password) in plain text directly within the code. This is a serious security vulnerability because anyone who gains access to this code will have the LDAP service credentials.

In this code, we are using the shelf package to create a server and we are setting up an LDAP connection using the LdapConnection class. The host, ssl, bindDN, and password parameters are being passed to the LdapConnection constructor to establish the connection. The bindDN and password parameters are the LDAP credentials and they are being stored in plain text directly in the code.

This is a major security risk as anyone with access to the codebase can easily see these credentials. If they were malicious, they could use these credentials to gain unauthorized access to the LDAP service, potentially leading to data leaks, data manipulation, or denial-of-service attacks.

Steps

• Remove the hard-coded credentials from the code.
• Store the credentials in a secure configuration file or use a secure secrets management system.
• Encrypt the configuration file or the secrets in the secrets management system.
• Ensure the LDAP connection uses SSL to encrypt the communication.
• Update the code to retrieve the credentials from the secure source and use them to establish the LDAP connection.

Compliant code

        import 'dart:io';
import 'package:shelf/shelf.dart' as shelf;
import 'package:dotenv/dotenv.dart' as dotenv;

void main() {
  dotenv.load(); // Load environment variables from .env file

  var server = shelf.IoServer();
  var ldap = LdapConnection(
    host: Platform.environment['LDAP_HOST'],
    ssl: true, // Enable SSL
    bindDN: Platform.environment['LDAP_BIND_DN'],
    password: Platform.environment['LDAP_PASSWORD'],
  );
  server.mount(ldap);
}
        
        

The updated code removes the hard-coded LDAP credentials and instead retrieves them from environment variables. This is done using the dotenv package, which loads environment variables from a .env file at the root of the project.

The ssl parameter in the LdapConnection constructor is set to true to ensure that the connection to the LDAP server is encrypted.

The .env file should be added to .gitignore to prevent it from being committed to the version control system. The actual environment variables should be set in the production environment in a secure manner.

This approach ensures that the LDAP credentials are not exposed in the code and that the connection to the LDAP server is encrypted, addressing the identified vulnerability.

References

• 248. Non-encrypted confidential information - LDAP