How to resolve these errors: improper neutralization of special elements used in an LDAP query ('LDAP injection') (CWE ID90)(2 flaws)insufficient input validation(2 flaws) ?

See more:

C#

Hi folks,

I devloped windows service in .NET using c# language. I given my .exe file to veracode scan after that report shows some errors like like below.

FYI: i am using LDAP query like below: How to resolve these errors. it's a windows service not web application.

string s1 ="xyz"
mySearcher.Filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=" +s1+ "))";
SearchResult sresult = mySearcher.FindOne();



=>Insufficient Input Validation(2 flaws)
Description:
Weaknesses in this category are related to an absent or incorrect protection mechanism that fails to properly validate input
that can affect the control flow or data flow of a program.
Recommendations:
Validate input from untrusted sources before it is used. The untrusted data sources may include HTTP requests, file systems,
databases, and any external systems that provide data to the application. In the case of HTTP requests, validate all parts of
the request, including headers, form fields, cookies, and URL components that are used to transfer information from the
browser to the server side application.
Duplicate any client-side checks on the server side. This should be simple to implement in terms of time and difficulty, and will
greatly reduce the likelihood of insecure parameter values being used in the application.


=>Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE ID
90)(2 flaws)
Description
The software does not sufficiently sanitize special elements that are used in LDAP queries or responses, allowing
attackers to modify the syntax, contents, or commands of the LDAP query before it is executed.
Effort to Fix: 3 - Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
Recommendations
Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines
when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to
remove all instances of disallowed characters.

What I have tried:

mySearcher.Filter = "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=" + Encoder.LdapFilterEncode(Encoder.HtmlEncode(s1)) + "))";