Ldap Injection in Adonisjs with Mongodb
Ldap Injection in Adonisjs with Mongodb — how this specific combination creates or exposes the vulnerability
Ldap Injection occurs when user input is concatenated into LDAP query strings without validation or escaping, allowing an attacker to manipulate the query structure. In AdonisJS, this typically happens in authentication or user-search logic that builds LDAP filters from request parameters. While AdonisJS itself does not execute LDAP queries, your application code might use an LDAP client (e.g., ldapjs or similar) to bind or search, and then store or reference related data in a MongoDB database. This combination becomes risky when the LDAP query result influences what data is fetched or updated in MongoDB, or when identifiers derived from LDAP are used in MongoDB operations.
Consider an endpoint that accepts a username and attempts an LDAP bind to validate credentials, then retrieves extended profile data from MongoDB. If the username is directly interpolated into the LDAP filter, an attacker can supply special characters like * or ) to change the filter logic. For example:
const username = req.input('username');
const filter = `(uid=${username})`;
ldapClient.search('dc=example,dc=com', filter, ...);
An input such as uid)(objectClass=*) changes the filter to (uid=uid)(objectClass=*)), potentially bypassing authentication or causing excessive searches. If the application then uses the same user identifier to build a MongoDB query, such as db.users.findOne({ ldapUid: username }), the attacker may exploit secondary effects like information disclosure or injection into update operations if the identifier is not properly validated. The risk is not in LDAP or MongoDB per se, but in the lack of input sanitization and strict schema usage between these systems.
Additionally, if your application uses parsed LDAP entries to construct MongoDB update operations, unchecked attributes (e.g., displayName or mail) could lead to unintended updates or exposure of sensitive fields. For instance, an LDAP entry may contain attributes that are directly assigned to a MongoDB document without type checks, enabling injection-like behavior through manipulated directory data. This is especially relevant in environments where MongoDB collections store references to LDAP identities for authorization purposes.
To detect such issues, middleBrick scans the unauthenticated API surface across 12 checks including Input Validation and Authentication, and maps findings to frameworks like OWASP API Top 10. If your API accepts identifiers used in LDAP contexts and interacts with MongoDB, a scan can highlight missing validation or unsafe composition patterns that may lead to injection or data exposure.
Mongodb-Specific Remediation in Adonisjs — concrete code fixes
Remediation focuses on strict input validation, parameterized queries, and avoiding direct concatenation of user input into LDAP filters or MongoDB queries. For LDAP, use library-supported escape mechanisms and avoid building filters via string interpolation. For MongoDB, use native driver methods with typed schemas and avoid dynamic key construction from user input.
LDAP input validation and escaping
Validate and sanitize the username against a strict pattern before using it in LDAP queries. Use an LDAP escaping function if your client supports it, or manually escape special characters. Example with a simple whitelist validation and safe search construction:
const username = req.input('username');
// Strict alphanumeric and limited special characters validation
if (!/^[a-zA-Z0-9._-]+$/.test(username)) {
throw new Error('Invalid username format');
}
// Use parameterized filter construction (no concatenation)
const filter = `(uid=${username})`;
ldapClient.search('dc=example,dc=com', filter, (err, res) => { /* handle */ });
MongoDB query using strict schema validation
Use MongoDB’s native driver with explicit field selection and typed queries. Avoid passing raw user input directly into query objects. Instead, map validated input to known fields:
const { MongoClient } = require('mongodb');
const client = new MongoClient('mongodb://localhost:27017');
await client.connect();
const db = client.db('myapp');
const username = req.input('username');
// Ensure username is validated before use
if (!/^[a-zA-Z0-9._-]+$/.test(username)) {
throw new Error('Invalid username');
}
// Safe query using a mapped field
const user = await db.collection('users').findOne({ ldapUid: username });
console.log(user ? 'User found' : 'Not found');
Avoiding dynamic updates from LDAP attributes
If you populate MongoDB documents from LDAP entries, explicitly whitelist attributes and apply type checks. Do not directly assign LDAP entry properties to MongoDB update objects:
const updateData = {};
// Whitelist safe fields only
if (ldapEntry.displayName && typeof ldapEntry.displayName === 'string') {
updateData.displayName = ldapEntry.displayName.substring(0, 255);
}
if (ldapEntry.mail && typeof ldapEntry.mail === 'string') {
updateData.email = ldapEntry.mail;
}
await db.collection('users').updateOne(
{ ldapUid: validatedUsername },
{ $set: updateData }
);
Using the middlebrick CLI you can scan your API endpoints to verify that input validation and query composition follow these patterns. The CLI runs 12 parallel checks including Input Validation, Authentication, and Unsafe Consumption, providing prioritized findings with remediation guidance. For teams integrating security into development workflows, the Pro plan adds continuous monitoring and CI/CD integration, including GitHub Action PR gates that can fail builds when risk scores exceed your threshold.