From f35614ebeb9b1705a17ef7947d43bd4c201d5269 Mon Sep 17 00:00:00 2001 From: hsinhoyeh Date: Wed, 14 Feb 2024 15:39:28 +0000 Subject: [PATCH 1/3] fix: add sanitizer to ldap account and password fixed: #3354 Signed-off-by: hsinhoyeh --- connector/ldap/ldap.go | 18 ++++++++++++++++++ connector/ldap/ldap_test.go | 12 ++++++++++++ 2 files changed, 30 insertions(+) diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go index c50d8309c4..38b8172e4e 100644 --- a/connector/ldap/ldap.go +++ b/connector/ldap/ldap.go @@ -9,7 +9,9 @@ import ( "fmt" "net" "os" + "regexp" "strings" + "errors" "github.com/go-ldap/ldap/v3" @@ -460,6 +462,22 @@ func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.E func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (ident connector.Identity, validPass bool, err error) { // make this check to avoid unauthenticated bind to the LDAP server. + + matched, err := regexp.MatchString(`[\w\s\*]+`, username) + if err != nil { + return connector.Identity{}, false, err + } + if matched { + return connector.Identity{}, false, errors.New("invalid input") + } + matched, err = regexp.MatchString(`[\w\*]+`, password) + if err != nil { + return connector.Identity{}, false, err + } + if matched { + return connector.Identity{}, false, errors.New("invalid input") + } + if password == "" { return connector.Identity{}, false, nil } diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go index 24254dcc9c..bc95c9e102 100644 --- a/connector/ldap/ldap_test.go +++ b/connector/ldap/ldap_test.go @@ -83,6 +83,18 @@ func TestQuery(t *testing.T) { password: "foo", wantBadPW: true, // Want invalid password, not a query error. }, + { + name: "invalid wildcard username", + username: "a*", // wildcard query is not allowed + password: "foo", + wantErr: true, + }, + { + name: "invalid wildcard password", + username: "john", + password: "*", //wildcard password is not allowed + wantErr: true, + }, } runTests(t, connectLDAP, c, tests) From ccab7085908275cb169378da1c6acc42cd27e021 Mon Sep 17 00:00:00 2001 From: hsinhoyeh Date: Sat, 24 Feb 2024 00:35:05 +0800 Subject: [PATCH 2/3] only santize username/password should be enough Signed-off-by: hsinhoyeh --- connector/ldap/ldap.go | 20 +++----------------- connector/ldap/ldap_test.go | 16 ++++++++-------- 2 files changed, 11 insertions(+), 25 deletions(-) diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go index 38b8172e4e..f0aa7eff76 100644 --- a/connector/ldap/ldap.go +++ b/connector/ldap/ldap.go @@ -9,9 +9,7 @@ import ( "fmt" "net" "os" - "regexp" "strings" - "errors" "github.com/go-ldap/ldap/v3" @@ -463,21 +461,6 @@ func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.E func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (ident connector.Identity, validPass bool, err error) { // make this check to avoid unauthenticated bind to the LDAP server. - matched, err := regexp.MatchString(`[\w\s\*]+`, username) - if err != nil { - return connector.Identity{}, false, err - } - if matched { - return connector.Identity{}, false, errors.New("invalid input") - } - matched, err = regexp.MatchString(`[\w\*]+`, password) - if err != nil { - return connector.Identity{}, false, err - } - if matched { - return connector.Identity{}, false, errors.New("invalid input") - } - if password == "" { return connector.Identity{}, false, nil } @@ -489,6 +472,9 @@ func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username, user ldap.Entry ) + username = ldap.EscapeFilter(username) + password = ldap.EscapeFilter(password) + err = c.do(ctx, func(conn *ldap.Conn) error { entry, found, err := c.userEntry(conn, username) if err != nil { diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go index bc95c9e102..801f5fa4bf 100644 --- a/connector/ldap/ldap_test.go +++ b/connector/ldap/ldap_test.go @@ -84,16 +84,16 @@ func TestQuery(t *testing.T) { wantBadPW: true, // Want invalid password, not a query error. }, { - name: "invalid wildcard username", - username: "a*", // wildcard query is not allowed - password: "foo", - wantErr: true, + name: "invalid wildcard username", + username: "a*", // wildcard query is not allowed + password: "foo", + wantBadPW: true, // Want invalid password, not a query error. }, { - name: "invalid wildcard password", - username: "john", - password: "*", //wildcard password is not allowed - wantErr: true, + name: "invalid wildcard password", + username: "john", + password: "*", //wildcard password is not allowed + wantBadPW: true, // Want invalid password, not a query error. }, } From 8fb472d5107159decd783c2200b54162d26acffe Mon Sep 17 00:00:00 2001 From: hsinhoyeh Date: Tue, 12 Mar 2024 05:23:51 +0800 Subject: [PATCH 3/3] fix lint Signed-off-by: hsinhoyeh --- connector/ldap/ldap_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go index 801f5fa4bf..f00f1ead99 100644 --- a/connector/ldap/ldap_test.go +++ b/connector/ldap/ldap_test.go @@ -92,7 +92,7 @@ func TestQuery(t *testing.T) { { name: "invalid wildcard password", username: "john", - password: "*", //wildcard password is not allowed + password: "*", // wildcard password is not allowed wantBadPW: true, // Want invalid password, not a query error. }, }