Merge pull request #1148 from vmware-tanzu/ldap_group_search_escape

cfryanr · web-flow · commit cc1f0b8db931 · 2022-05-02T14:44:45.000-07:00
Escape special characters in LDAP DNs when used in search filters
diff --git a/internal/upstreamldap/upstreamldap.go b/internal/upstreamldap/upstreamldap.go
@@ -715,18 +715,24 @@ func (p *Provider) groupSearchRequestedAttributes() []string {
 }
 
 func (p *Provider) userSearchFilter(username string) string {
-	safeUsername := p.escapeUsernameForSearchFilter(username)
+	// The username is end user input, so it should be escaped before being included in a search to prevent
+	// query injection.
+	safeUsername := p.escapeForSearchFilter(username)
 	if len(p.c.UserSearch.Filter) == 0 {
 		return fmt.Sprintf("(%s=%s)", p.c.UserSearch.UsernameAttribute, safeUsername)
 	}
 	return interpolateSearchFilter(p.c.UserSearch.Filter, safeUsername)
 }
 
 func (p *Provider) groupSearchFilter(userDN string) string {
+	// The DN can contain characters that are considered special characters by LDAP searches, so it should be
+	// escaped before being included in the search filter to prevent bad search syntax.
+	// E.g. for the DN `CN=My User (Admin),OU=Users,OU=my,DC=my,DC=domain` we must escape the parens.
+	safeUserDN := p.escapeForSearchFilter(userDN)
 	if len(p.c.GroupSearch.Filter) == 0 {
-		return fmt.Sprintf("(member=%s)", userDN)
+		return fmt.Sprintf("(member=%s)", safeUserDN)
 	}
-	return interpolateSearchFilter(p.c.GroupSearch.Filter, userDN)
+	return interpolateSearchFilter(p.c.GroupSearch.Filter, safeUserDN)
 }
 
 func interpolateSearchFilter(filterFormat, valueToInterpolateIntoFilter string) string {
@@ -737,9 +743,8 @@ func interpolateSearchFilter(filterFormat, valueToInterpolateIntoFilter string)
 	return "(" + filter + ")"
 }
 
-func (p *Provider) escapeUsernameForSearchFilter(username string) string {
-	// The username is end user input, so it should be escaped before being included in a search to prevent query injection.
-	return ldap.EscapeFilter(username)
+func (p *Provider) escapeForSearchFilter(s string) string {
+	return ldap.EscapeFilter(s)
 }
 
 // Returns the (potentially) binary data of the attribute's value, base64 URL encoded.
diff --git a/internal/upstreamldap/upstreamldap_test.go b/internal/upstreamldap/upstreamldap_test.go
@@ -479,7 +479,7 @@ func TestEndUserAuthentication(t *testing.T) {
 			wantAuthResponse: expectedAuthResponse(nil),
 		},
 		{
-			name:           "when the username has special LDAP search filter characters then they must be properly escaped in the search filter, because the username is end-user input",
+			name:           "when the username has special LDAP search filter characters then they must be properly escaped in the custom user search filter, because the username is end-user input",
 			username:       `a&b|c(d)e\f*g`,
 			password:       testUpstreamPassword,
 			providerConfig: providerConfig(nil),
@@ -497,6 +497,92 @@ func TestEndUserAuthentication(t *testing.T) {
 			},
 			wantAuthResponse: expectedAuthResponse(nil),
 		},
+		{
+			name:     "when the username has special LDAP search filter characters then they must be properly escaped in the default user search filter, because the username is end-user input",
+			username: `a&b|c(d)e\f*g`,
+			password: testUpstreamPassword,
+			providerConfig: providerConfig(func(p *ProviderConfig) {
+				p.UserSearch.Filter = ""
+			}),
+			searchMocks: func(conn *mockldapconn.MockConn) {
+				conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
+				conn.EXPECT().Search(expectedUserSearch(func(r *ldap.SearchRequest) {
+					r.Filter = fmt.Sprintf("(some-upstream-username-attribute=%s)", `a&b|c\28d\29e\5cf\2ag`)
+				})).Return(exampleUserSearchResult, nil).Times(1)
+				conn.EXPECT().SearchWithPaging(expectedGroupSearch(nil), expectedGroupSearchPageSize).
+					Return(exampleGroupSearchResult, nil).Times(1)
+				conn.EXPECT().Close().Times(1)
+			},
+			bindEndUserMocks: func(conn *mockldapconn.MockConn) {
+				conn.EXPECT().Bind(testUserSearchResultDNValue, testUpstreamPassword).Times(1)
+			},
+			wantAuthResponse: expectedAuthResponse(nil),
+		},
+		{
+			name:           "when the user search result DN has special LDAP search filter characters then they must be properly escaped in the custom group search filter",
+			username:       testUpstreamUsername,
+			password:       testUpstreamPassword,
+			providerConfig: providerConfig(nil),
+			searchMocks: func(conn *mockldapconn.MockConn) {
+				conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
+				conn.EXPECT().Search(expectedUserSearch(nil)).
+					Return(&ldap.SearchResult{
+						Entries: []*ldap.Entry{
+							{
+								DN: `result DN with * \ special characters ()`,
+								Attributes: []*ldap.EntryAttribute{
+									ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
+									ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
+								},
+							},
+						},
+					}, nil).Times(1)
+				conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
+					escapedDN := `result DN with \2a \5c special characters \28\29`
+					r.Filter = fmt.Sprintf("(some-group-filter=%s-and-more-filter=%s)", escapedDN, escapedDN)
+				}), expectedGroupSearchPageSize).Return(exampleGroupSearchResult, nil).Times(1)
+				conn.EXPECT().Close().Times(1)
+			},
+			bindEndUserMocks: func(conn *mockldapconn.MockConn) {
+				conn.EXPECT().Bind(`result DN with * \ special characters ()`, testUpstreamPassword).Times(1)
+			},
+			wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
+				r.DN = `result DN with * \ special characters ()`
+			}),
+		},
+		{
+			name:     "when the user search result DN has special LDAP search filter characters then they must be properly escaped in the default group search filter",
+			username: testUpstreamUsername,
+			password: testUpstreamPassword,
+			providerConfig: providerConfig(func(p *ProviderConfig) {
+				p.GroupSearch.Filter = ""
+			}),
+			searchMocks: func(conn *mockldapconn.MockConn) {
+				conn.EXPECT().Bind(testBindUsername, testBindPassword).Times(1)
+				conn.EXPECT().Search(expectedUserSearch(nil)).
+					Return(&ldap.SearchResult{
+						Entries: []*ldap.Entry{
+							{
+								DN: `result DN with * \ special characters ()`,
+								Attributes: []*ldap.EntryAttribute{
+									ldap.NewEntryAttribute(testUserSearchUsernameAttribute, []string{testUserSearchResultUsernameAttributeValue}),
+									ldap.NewEntryAttribute(testUserSearchUIDAttribute, []string{testUserSearchResultUIDAttributeValue}),
+								},
+							},
+						},
+					}, nil).Times(1)
+				conn.EXPECT().SearchWithPaging(expectedGroupSearch(func(r *ldap.SearchRequest) {
+					r.Filter = fmt.Sprintf("(member=%s)", `result DN with \2a \5c special characters \28\29`)
+				}), expectedGroupSearchPageSize).Return(exampleGroupSearchResult, nil).Times(1)
+				conn.EXPECT().Close().Times(1)
+			},
+			bindEndUserMocks: func(conn *mockldapconn.MockConn) {
+				conn.EXPECT().Bind(`result DN with * \ special characters ()`, testUpstreamPassword).Times(1)
+			},
+			wantAuthResponse: expectedAuthResponse(func(r *authenticators.Response) {
+				r.DN = `result DN with * \ special characters ()`
+			}),
+		},
 		{
 			name:           "group names are sorted to make the result more stable/predictable",
 			username:       testUpstreamUsername,

Original file line number	Diff line number	Diff line change
`@@ -715,18 +715,24 @@ func (p *Provider) groupSearchRequestedAttributes() []string {`
`715`	`715`	`}`
`716`	`716`
`717`	`717`	`func (p *Provider) userSearchFilter(username string) string {`
`718`		`- safeUsername := p.escapeUsernameForSearchFilter(username)`
	`718`	`+ // The username is end user input, so it should be escaped before being included in a search to prevent`
	`719`	`+ // query injection.`
	`720`	`+ safeUsername := p.escapeForSearchFilter(username)`
`719`	`721`	`if len(p.c.UserSearch.Filter) == 0 {`
`720`	`722`	`return fmt.Sprintf("(%s=%s)", p.c.UserSearch.UsernameAttribute, safeUsername)`
`721`	`723`	`}`
`722`	`724`	`return interpolateSearchFilter(p.c.UserSearch.Filter, safeUsername)`
`723`	`725`	`}`
`724`	`726`
`725`	`727`	`func (p *Provider) groupSearchFilter(userDN string) string {`
	`728`	`+ // The DN can contain characters that are considered special characters by LDAP searches, so it should be`
	`729`	`+ // escaped before being included in the search filter to prevent bad search syntax.`
	`730`	+ // E.g. for the DN `CN=My User (Admin),OU=Users,OU=my,DC=my,DC=domain` we must escape the parens.
	`731`	`+ safeUserDN := p.escapeForSearchFilter(userDN)`
`726`	`732`	`if len(p.c.GroupSearch.Filter) == 0 {`
`727`		`- return fmt.Sprintf("(member=%s)", userDN)`
	`733`	`+ return fmt.Sprintf("(member=%s)", safeUserDN)`
`728`	`734`	`}`
`729`		`- return interpolateSearchFilter(p.c.GroupSearch.Filter, userDN)`
	`735`	`+ return interpolateSearchFilter(p.c.GroupSearch.Filter, safeUserDN)`
`730`	`736`	`}`
`731`	`737`
`732`	`738`	`func interpolateSearchFilter(filterFormat, valueToInterpolateIntoFilter string) string {`
`@@ -737,9 +743,8 @@ func interpolateSearchFilter(filterFormat, valueToInterpolateIntoFilter string)`
`737`	`743`	`return "(" + filter + ")"`
`738`	`744`	`}`
`739`	`745`
`740`		`-func (p *Provider) escapeUsernameForSearchFilter(username string) string {`
`741`		`- // The username is end user input, so it should be escaped before being included in a search to prevent query injection.`
`742`		`- return ldap.EscapeFilter(username)`
	`746`	`+func (p *Provider) escapeForSearchFilter(s string) string {`
	`747`	`+ return ldap.EscapeFilter(s)`
`743`	`748`	`}`
`744`	`749`
`745`	`750`	`// Returns the (potentially) binary data of the attribute's value, base64 URL encoded.`