Skip to content

Commit

Permalink
fix: add sanitizer to ldap account and password (#3372)
Browse files Browse the repository at this point in the history
Signed-off-by: hsinhoyeh <[email protected]>
  • Loading branch information
hsinhoyeh authored Mar 11, 2024
1 parent 54ff639 commit 77333d6
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 0 deletions.
4 changes: 4 additions & 0 deletions connector/ldap/ldap.go
Original file line number Diff line number Diff line change
Expand Up @@ -460,6 +460,7 @@ func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.E

func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (ident connector.Identity, validPass bool, err error) {
// make this check to avoid unauthenticated bind to the LDAP server.

if password == "" {
return connector.Identity{}, false, nil
}
Expand All @@ -471,6 +472,9 @@ func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username,
user ldap.Entry
)

username = ldap.EscapeFilter(username)
password = ldap.EscapeFilter(password)

err = c.do(ctx, func(conn *ldap.Conn) error {
entry, found, err := c.userEntry(conn, username)
if err != nil {
Expand Down
12 changes: 12 additions & 0 deletions connector/ldap/ldap_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,18 @@ func TestQuery(t *testing.T) {
password: "foo",
wantBadPW: true, // Want invalid password, not a query error.
},
{
name: "invalid wildcard username",
username: "a*", // wildcard query is not allowed
password: "foo",
wantBadPW: true, // Want invalid password, not a query error.
},
{
name: "invalid wildcard password",
username: "john",
password: "*", // wildcard password is not allowed
wantBadPW: true, // Want invalid password, not a query error.
},
}

runTests(t, connectLDAP, c, tests)
Expand Down

0 comments on commit 77333d6

Please sign in to comment.