Merge pull request ESAPI#712 from noloader/develop

Add forward slash encoding to DefaultEncoder's encodeForLDAP and encodeForDN

Author: xeno6696

src/main/java/org/owasp/esapi/reference/DefaultEncoder.java

@@ -305,13 +305,22 @@ public String encodeForLDAP(String input, boolean encodeWildcards) {
         }
         // TODO: replace with LDAP codec
         StringBuilder sb = new StringBuilder();
+        // According to Microsoft docs [1,2], the forward slash ('/') MUST be escaped.
+        // According to RFC 4513 Section 3 [3], the forward slash (and other characters) MAY be escaped.
+        // Since Microsoft is a MUST, escape forward slash for all implementations. Also see discussion at [4].
+        // [1] https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
+        // [2] https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
+        // [3] https://tools.ietf.org/search/rfc4515#section-3
+        // [4] https://lists.openldap.org/hyperkitty/list/[email protected]/thread/3QPDDLO356ONSJM3JUKD7NMPOOIKIQ5T/
         for (int i = 0; i < input.length(); i++) {
             char c = input.charAt(i);
-
             switch (c) {
                 case '\\':
                     sb.append("\\5c");
                     break;
+                case '/':
+                    sb.append("\\2f");
+                    break;
                 case '*': 
                     if (encodeWildcards) {
                         sb.append("\\2a"); 
@@ -349,12 +358,16 @@ public String encodeForDN(String input) {
         if ((input.length() > 0) && ((input.charAt(0) == ' ') || (input.charAt(0) == '#'))) {
             sb.append('\\'); // add the leading backslash if needed
         }
+        // See discussion of forward slash ('/') in encodeForLDAP()
         for (int i = 0; i < input.length(); i++) {
             char c = input.charAt(i);
             switch (c) {
             case '\\':
                 sb.append("\\\\");
                 break;
+            case '/':
+                sb.append("\\/");
+                break;
             case ',':
                 sb.append("\\,");
                 break;

src/test/java/org/owasp/esapi/reference/EncoderTest.java

@@ -535,6 +535,7 @@ public void testEncodeForLDAP() {
         assertEquals("Zeros", "Hi \\00", instance.encodeForLDAP("Hi \u0000"));
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # � � �", instance.encodeForLDAP("Hi (This) = is * a \\ test # � � �"));
         assertEquals("Hi \\28This\\29 =", instance.encodeForLDAP("Hi (This) ="));
+        assertEquals("Forward slash for \\2fMicrosoft\\2f \\2fAD\\2f", instance.encodeForLDAP("Forward slash for /Microsoft/ /AD/"));
     }
 
     /**
@@ -547,6 +548,7 @@ public void testEncodeForLDAPWithoutEncodingWildcards() {
         assertEquals("No special characters to escape", "Hi This is a test #��", instance.encodeForLDAP("Hi This is a test #��", false));
         assertEquals("Zeros", "Hi \\00", instance.encodeForLDAP("Hi \u0000", false));
         assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is * a \\5c test # � � �", instance.encodeForLDAP("Hi (This) = is * a \\ test # � � �", false));
+        assertEquals("Forward slash for \\2fMicrosoft\\2f \\2fAD\\2f", instance.encodeForLDAP("Forward slash for /Microsoft/ /AD/"));
     }
 
     /**
@@ -563,6 +565,7 @@ public void testEncodeForDN() {
         assertEquals("less than greater than", "Hello\\<\\>", instance.encodeForDN("Hello<>"));
         assertEquals("only 3 spaces", "\\  \\ ", instance.encodeForDN("   "));
         assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", instance.encodeForDN(" Hello\\ + , \"World\" ; "));
+        assertEquals("Forward slash for \\/Microsoft\\/ \\/AD\\/", instance.encodeForDN("Forward slash for /Microsoft/ /AD/"));
     }
 
     /**