From 28b69da3dd8f2bc3b63326ef1cac0e01208b8e53 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 18:52:13 +0000 Subject: [PATCH 1/3] Initial plan From 0bb5df88497691ed1c23e1da9bc9965df3717d5c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 19:03:29 +0000 Subject: [PATCH 2/3] Fix hardcoded LDAP credential vulnerability Replace hardcoded password 'secret' in LDAPManager with environment variable LDAP_ADMIN_PASSWORD. Falls back to system property for backward compatibility. Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> --- .../java/org/owasp/benchmark/helpers/LDAPManager.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/owasp/benchmark/helpers/LDAPManager.java b/src/main/java/org/owasp/benchmark/helpers/LDAPManager.java index 66ac4b711c..85b03451da 100644 --- a/src/main/java/org/owasp/benchmark/helpers/LDAPManager.java +++ b/src/main/java/org/owasp/benchmark/helpers/LDAPManager.java @@ -59,7 +59,15 @@ protected Hashtable createEnv() { env.put(Context.PROVIDER_URL, "ldap://localhost:10389"); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system"); - env.put(Context.SECURITY_CREDENTIALS, "secret"); + + // Retrieve credentials from environment variable instead of hardcoding + String ldapPassword = System.getenv("LDAP_ADMIN_PASSWORD"); + if (ldapPassword == null || ldapPassword.isEmpty()) { + // Fallback to system property for backward compatibility + ldapPassword = System.getProperty("ldap.admin.password", "secret"); + } + env.put(Context.SECURITY_CREDENTIALS, ldapPassword); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); return env; } From 2543cee22bfa265607748b500592255e2f22f28a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 25 Nov 2025 19:04:59 +0000 Subject: [PATCH 3/3] Address code review feedback: improve credential validation - Add proper empty string validation using trim() - Add warning when falling back to default password - Improve security by alerting administrators when secure configuration is missing Co-authored-by: felickz <1760475+felickz@users.noreply.github.com> --- .../java/org/owasp/benchmark/helpers/LDAPManager.java | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/owasp/benchmark/helpers/LDAPManager.java b/src/main/java/org/owasp/benchmark/helpers/LDAPManager.java index 85b03451da..3a96ec3333 100644 --- a/src/main/java/org/owasp/benchmark/helpers/LDAPManager.java +++ b/src/main/java/org/owasp/benchmark/helpers/LDAPManager.java @@ -62,9 +62,16 @@ protected Hashtable createEnv() { // Retrieve credentials from environment variable instead of hardcoding String ldapPassword = System.getenv("LDAP_ADMIN_PASSWORD"); - if (ldapPassword == null || ldapPassword.isEmpty()) { + if (ldapPassword == null || ldapPassword.trim().isEmpty()) { // Fallback to system property for backward compatibility - ldapPassword = System.getProperty("ldap.admin.password", "secret"); + ldapPassword = System.getProperty("ldap.admin.password"); + if (ldapPassword == null || ldapPassword.trim().isEmpty()) { + // Last resort fallback for test environments only + System.err.println( + "WARNING: Using default LDAP password. " + + "Set LDAP_ADMIN_PASSWORD environment variable or ldap.admin.password system property for secure configuration."); + ldapPassword = "secret"; + } } env.put(Context.SECURITY_CREDENTIALS, ldapPassword);