Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Escape group names for LDAP #37201

Merged
merged 5 commits into from
Oct 2, 2023

Conversation

AaronDewes
Copy link
Contributor

@AaronDewes AaronDewes commented Mar 13, 2023

Summary

Nextcloud's LDAP feature allows to automatically generate queries so only certain groups are available in Nextcloud.

However, I noticed that groups may contain special characters (Like "(" or ")") that should be escaped to ensure generated queries are correct. Currently, the generated queries will be invalid and lead to 0 groups found if any groups contain such characters.

I originally encountered this issue when trying to get Nextcloud running with a MNS+ system, a very popular school managment system in Rhineland-Palatinate.

TODO

  • Are tests needed for this? There are no tests for this function at all, so I'm not sure if/how to write new ones.

Checklist

@szaimen szaimen added the 3. to review Waiting for reviews label Mar 13, 2023
@szaimen szaimen added this to the Nextcloud 27 milestone Mar 13, 2023
@szaimen szaimen requested review from blizzz, come-nc, a team and ArtificialOwl and removed request for a team March 13, 2023 19:19
Copy link
Contributor

@come-nc come-nc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would make sense to escape all the other values which are concatenated into ldap filters in the function.

@AaronDewes
Copy link
Contributor Author

AaronDewes commented Mar 14, 2023

It would make sense to escape all the other values which are concatenated into ldap filters in the function.

Yes, I fixed this now. I think these are all values that need escaping, but please let me know if I missed any.

Also, if this gets merged, can this be backported to Nextcloud 26(.0.2)?

From https://github.com/nextcloud/desktop/wiki/Backport-policy-stable-branches:

If we are doing a X.Y.2 (usually one month after the X.Y.1 release) we will backport trivial fixes even if the bug is not necessary critical but we are very confident that the fix will not introduce problems ;

Because this fix is pretty simple, and it seems like there is still some time left until Nextcloud 27, it would be great to get this backported, because it affects every Nextcloud version.

@AaronDewes AaronDewes requested review from come-nc and removed request for blizzz and ArtificialOwl March 14, 2023 06:56
@AaronDewes
Copy link
Contributor Author

I did not intend to remove the other two requests, this seems to be a bug in GitHub (I just clicked "Re-request review from @come-nc").

@come-nc
Copy link
Contributor

come-nc commented Mar 14, 2023

Also, if this gets merged, can this be backported to Nextcloud 26(.0.2)?

I’m afraid it will be for 26.0.1, we are too close to 26 release to backport in time most likely.

@@ -925,7 +925,7 @@
}
$base = $this->configuration->ldapBase[0];
foreach ($cns as $cn) {
$rr = $this->ldap->search($cr, $base, 'cn=' . $cn, ['dn', 'primaryGroupToken']);
$rr = $this->ldap->search($cr, $base, 'cn=' . ldap_escape($cn, '', LDAP_ESCAPE_FILTER), ['dn', 'primaryGroupToken']);

Check notice

Code scanning / Psalm

PossiblyNullArgument Note

Argument 2 of OCA\User_LDAP\ILDAPWrapper::search cannot be null, possibly null value provided
@come-nc come-nc requested review from blizzz, a team and ArtificialOwl and removed request for a team March 14, 2023 16:34
@blizzz blizzz added the bug label Mar 15, 2023
@blizzz
Copy link
Member

blizzz commented Mar 15, 2023

we also have Access::escapeFilterPart() (not sure why i introduced this in 2014 and not the escape method back then, maybe i simply was not aware of it, or we supported PHP < 5.6).

@come-nc
Copy link
Contributor

come-nc commented Mar 15, 2023

we also have Access::escapeFilterPart() (not sure why i introduced this in 2014 and not the escape method back then, maybe i simply was not aware of it, or we supported PHP < 5.6).

escapeFilterPart also has a special handling of the asterisk as first character, if allowed.
But I do think it would work as well to do that:

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 1cc0c62ff1d..658de8c0b83 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -1411,9 +1411,7 @@ class Access extends LDAPUtility {
                        $asterisk = '*';
                        $input = mb_substr($input, 1, null, 'UTF-8');
                }
-               $search = ['*', '\\', '(', ')'];
-               $replace = ['\\*', '\\\\', '\\(', '\\)'];
-               return $asterisk . str_replace($search, $replace, $input);
+               return $asterisk . ldap_escape($input, '', LDAP_ESCAPE_FILTER);
        }
 
        /**

@AaronDewes
Copy link
Contributor Author

escapeFilterPart also has a special handling of the asterisk as first character, if allowed.

For this purpose, ldap_escape should be the correct method though, because the user selects these groups from a list and does not manually enter them (This menu could be improved imho, but for now, I think this is the best fix).

@AaronDewes
Copy link
Contributor Author

@blizzz @ArtificialOwl is there anything I can do to Help this PR get merged? I'd really like to have this in the next release to save school IT admins in Rhineland-Palatinate some work at the beginning of the next school year.

@blizzz
Copy link
Member

blizzz commented Apr 28, 2023

@AaronDewes from my PoV also fix the other occurrences as described in #37201 (comment) f

@AaronDewes
Copy link
Contributor Author

I did that in f1b6ddc, did I miss any?

@blizzz
Copy link
Member

blizzz commented Apr 28, 2023

In the Access class as pointed out.

@skjnldsv skjnldsv mentioned this pull request May 3, 2023
Signed-off-by: Aaron Dewes <[email protected]>
Signed-off-by: Aaron Dewes <[email protected]>
Signed-off-by: Aaron Dewes <[email protected]>
@AaronDewes
Copy link
Contributor Author

@joshtrichards @ArtificialOwl @blizz Can someone have a look again? This bug is really annoying to me, and it would be great to have it fixed soon.

@come-nc come-nc requested review from a team, Altahrim and artonge September 21, 2023 08:03
Copy link
Collaborator

@Altahrim Altahrim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: maybe add a test with parenthesis as it was the original bug

@AaronDewes
Copy link
Contributor Author

Nit: maybe add a test with parenthesis as it was the original bug

Parenthesis are correctly escaped by escapeFilterPart. Originally, this PR was just to make some generated LDAP filters use escapeFilterPart, all of which do not have tests yet at all AFAIK and I don't know how to implement myself.

@come-nc come-nc merged commit 9ebcd28 into nextcloud:master Oct 2, 2023
33 of 37 checks passed
@welcome
Copy link

welcome bot commented Oct 2, 2023

Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22

@come-nc
Copy link
Contributor

come-nc commented Oct 2, 2023

/backport stable27

@come-nc
Copy link
Contributor

come-nc commented Oct 2, 2023

/backport stable26

@come-nc
Copy link
Contributor

come-nc commented Oct 2, 2023

/backport to stable27

@come-nc
Copy link
Contributor

come-nc commented Oct 2, 2023

/backport to stable26

@backportbot-nextcloud
Copy link

The backport to stable27 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable27
git pull origin stable27

# Create the new backport branch
git checkout -b fix/foo-stable27

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud
Copy link

The backport to stable26 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable26
git pull origin stable26

# Create the new backport branch
git checkout -b fix/foo-stable26

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

AaronDewes pushed a commit to AaronDewes/nc-server that referenced this pull request Oct 2, 2023
AaronDewes pushed a commit to AaronDewes/nc-server that referenced this pull request Oct 2, 2023
@AaronDewes AaronDewes deleted the fix/ldap-filter-generation branch October 2, 2023 12:43
This was referenced Oct 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants