-
Notifications
You must be signed in to change notification settings - Fork 723
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PDI-20206] Add base64/url decoding for passwords in LDAP authenticator #5726
Conversation
This comment has been minimized.
This comment has been minimized.
...taho/platform/repository2/userroledao/jackrabbit/security/DefaultPentahoPasswordEncoder.java
Outdated
Show resolved
Hide resolved
...ntaho/platform/plugin/services/security/userrole/ldap/DefaultLdapAuthenticationProvider.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, let's wait for wingman to see if tests pass.
Quality Gate failedFailed conditions |
📦 Vulnerable Dependencies✍️ Summary
🔬 Research Details[ CVE-2021-41411 ] org.drools:drools-core 6.4.0.FinalDescription: A KIE project or module is simply a Maven Java project or module; with an additional metadata file The This can be exploited by an attacker that is able to add or alter a KIE project/module. [ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2Description: [ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.1Description: [ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.3.3Description: [ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.3.3Description: [ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2Description: [ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.1Description: When the The attackers must still find an input that propagates either to the HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map); Remediation: Development mitigationsWrap the try {
JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
System.err.println("ERROR: Stack limit reached");
} [ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.3.3Description: [ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.3.3Description: [ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.3.3Description: When the The attackers must still find an input that propagates either to the HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map); Remediation: Development mitigationsWrap the try {
JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
System.err.println("ERROR: Stack limit reached");
} [ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.1Description: [ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2Description: When the The attackers must still find an input that propagates either to the HashMap<String,Object> map=new HashMap<>();
map.put("t",map);
JSONObject jsonObject=new JSONObject(map); Remediation: Development mitigationsWrap the try {
JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
System.err.println("ERROR: Stack limit reached");
} [ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2Description: [ CVE-2022-1415 ] org.drools:drools-core 6.4.0.FinalDescription: [ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.1Description: [ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2Description: [ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.3.3Description: When the To exploit this issue, the attacker must find an input that propagates to the String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s); Remediation: Development mitigationsThis issue can be mitigated by checking the nested depth of the input JSON before passing it to the
Development mitigationsWrap the try {
JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
System.err.println("ERROR: Stack limit reached");
} [ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.1Description: [ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.1Description: When the To exploit this issue, the attacker must find an input that propagates to the String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s); Remediation: Development mitigationsThis issue can be mitigated by checking the nested depth of the input JSON before passing it to the
Development mitigationsWrap the try {
JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
System.err.println("ERROR: Stack limit reached");
} [ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2Description: When the To exploit this issue, the attacker must find an input that propagates to the String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)";
new JSONObject(s); Remediation: Development mitigationsThis issue can be mitigated by checking the nested depth of the input JSON before passing it to the
Development mitigationsWrap the try {
JSONObject jsonObject=new JSONObject(map);
}
catch(StackOverflowError e) {
System.err.println("ERROR: Stack limit reached");
} [ CVE-2023-35116 ] com.fasterxml.jackson.core:jackson-databind 2.14.2Description: |
❌ Build failed in 1h 2m 49sBuild command: mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
core,extensions,repository 👌 All tests passed! Tests run: 2599, Failures: 0, Skipped: 5 Test Results ℹ️ This is an automatic message |
As part of BISERVER-14644, it was missing to decode the passwords for LDAP authentication in the server. This PR reuses the method done in the previous issue (with some slight improvements) to also apply the same decodification on LDAP authentication.
@pentaho/tatooine_dev please review