diff --git a/changelog/unreleased/escape-ldap-filter.md b/changelog/unreleased/escape-ldap-filter.md new file mode 100644 index 0000000000..a1bad3ecdf --- /dev/null +++ b/changelog/unreleased/escape-ldap-filter.md @@ -0,0 +1,5 @@ +Enhancement: escape ldap filters + +Added ldap filter escaping to increase the security of reva. + +https://github.com/cs3org/reva/pull/2042 diff --git a/pkg/auth/manager/ldap/ldap.go b/pkg/auth/manager/ldap/ldap.go index cefd1adef0..b136a05f5d 100644 --- a/pkg/auth/manager/ldap/ldap.go +++ b/pkg/auth/manager/ldap/ldap.go @@ -244,5 +244,5 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string) } func (am *mgr) getLoginFilter(login string) string { - return strings.ReplaceAll(am.c.LoginFilter, "{{login}}", login) + return strings.ReplaceAll(am.c.LoginFilter, "{{login}}", ldap.EscapeFilter(login)) } diff --git a/pkg/group/manager/ldap/ldap.go b/pkg/group/manager/ldap/ldap.go index a41cec3625..196d608ade 100644 --- a/pkg/group/manager/ldap/ldap.go +++ b/pkg/group/manager/ldap/ldap.go @@ -393,10 +393,10 @@ func (m *manager) getMemberFilter(gid *grouppb.GroupId) string { } func (m *manager) getAttributeFilter(attribute, value string) string { - attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", attribute) - return strings.ReplaceAll(attr, "{{value}}", value) + attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", ldap.EscapeFilter(attribute)) + return strings.ReplaceAll(attr, "{{value}}", ldap.EscapeFilter(value)) } func (m *manager) getFindFilter(query string) string { - return strings.ReplaceAll(m.c.FindFilter, "{{query}}", query) + return strings.ReplaceAll(m.c.FindFilter, "{{query}}", ldap.EscapeFilter(query)) } diff --git a/pkg/user/manager/ldap/ldap.go b/pkg/user/manager/ldap/ldap.go index 575bfcd0d3..c2dcde670f 100644 --- a/pkg/user/manager/ldap/ldap.go +++ b/pkg/user/manager/ldap/ldap.go @@ -424,12 +424,12 @@ func (m *manager) getUserFilter(uid *userpb.UserId) string { } func (m *manager) getAttributeFilter(attribute, value string) string { - attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", attribute) - return strings.ReplaceAll(attr, "{{value}}", value) + attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", ldap.EscapeFilter(attribute)) + return strings.ReplaceAll(attr, "{{value}}", ldap.EscapeFilter(value)) } func (m *manager) getFindFilter(query string) string { - return strings.ReplaceAll(m.c.FindFilter, "{{query}}", query) + return strings.ReplaceAll(m.c.FindFilter, "{{query}}", ldap.EscapeFilter(query)) } func (m *manager) getGroupFilter(uid *userpb.UserId) string {