escape ldap filters (#2042)

David Christofas · web-flow · commit 65dcdcd82417 · 2021-09-07T08:09:39.000+02:00
diff --git a/changelog/unreleased/escape-ldap-filter.md b/changelog/unreleased/escape-ldap-filter.md
@@ -0,0 +1,5 @@
+Enhancement: escape ldap filters 
+
+Added ldap filter escaping to increase the security of reva.
+
+https://github.com/cs3org/reva/pull/2042
diff --git a/pkg/auth/manager/ldap/ldap.go b/pkg/auth/manager/ldap/ldap.go
@@ -244,5 +244,5 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 }
 
 func (am *mgr) getLoginFilter(login string) string {
-	return strings.ReplaceAll(am.c.LoginFilter, "{{login}}", login)
+	return strings.ReplaceAll(am.c.LoginFilter, "{{login}}", ldap.EscapeFilter(login))
 }
diff --git a/pkg/group/manager/ldap/ldap.go b/pkg/group/manager/ldap/ldap.go
@@ -393,10 +393,10 @@ func (m *manager) getMemberFilter(gid *grouppb.GroupId) string {
 }
 
 func (m *manager) getAttributeFilter(attribute, value string) string {
-	attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", attribute)
-	return strings.ReplaceAll(attr, "{{value}}", value)
+	attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", ldap.EscapeFilter(attribute))
+	return strings.ReplaceAll(attr, "{{value}}", ldap.EscapeFilter(value))
 }
 
 func (m *manager) getFindFilter(query string) string {
-	return strings.ReplaceAll(m.c.FindFilter, "{{query}}", query)
+	return strings.ReplaceAll(m.c.FindFilter, "{{query}}", ldap.EscapeFilter(query))
 }
diff --git a/pkg/user/manager/ldap/ldap.go b/pkg/user/manager/ldap/ldap.go
@@ -424,12 +424,12 @@ func (m *manager) getUserFilter(uid *userpb.UserId) string {
 }
 
 func (m *manager) getAttributeFilter(attribute, value string) string {
-	attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", attribute)
-	return strings.ReplaceAll(attr, "{{value}}", value)
+	attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", ldap.EscapeFilter(attribute))
+	return strings.ReplaceAll(attr, "{{value}}", ldap.EscapeFilter(value))
 }
 
 func (m *manager) getFindFilter(query string) string {
-	return strings.ReplaceAll(m.c.FindFilter, "{{query}}", query)
+	return strings.ReplaceAll(m.c.FindFilter, "{{query}}", ldap.EscapeFilter(query))
 }
 
 func (m *manager) getGroupFilter(uid *userpb.UserId) string {

Original file line number	Diff line number	Diff line change
`@@ -244,5 +244,5 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)`
`244`	`244`	`}`
`245`	`245`
`246`	`246`	`func (am *mgr) getLoginFilter(login string) string {`
`247`		`- return strings.ReplaceAll(am.c.LoginFilter, "{{login}}", login)`
	`247`	`+ return strings.ReplaceAll(am.c.LoginFilter, "{{login}}", ldap.EscapeFilter(login))`
`248`	`248`	`}`
Original file line number	Diff line number	Diff line change
`@@ -393,10 +393,10 @@ func (m manager) getMemberFilter(gid grouppb.GroupId) string {`
`393`	`393`	`}`
`394`	`394`
`395`	`395`	`func (m *manager) getAttributeFilter(attribute, value string) string {`
`396`		`- attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", attribute)`
`397`		`- return strings.ReplaceAll(attr, "{{value}}", value)`
	`396`	`+ attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", ldap.EscapeFilter(attribute))`
	`397`	`+ return strings.ReplaceAll(attr, "{{value}}", ldap.EscapeFilter(value))`
`398`	`398`	`}`
`399`	`399`
`400`	`400`	`func (m *manager) getFindFilter(query string) string {`
`401`		`- return strings.ReplaceAll(m.c.FindFilter, "{{query}}", query)`
	`401`	`+ return strings.ReplaceAll(m.c.FindFilter, "{{query}}", ldap.EscapeFilter(query))`
`402`	`402`	`}`
Original file line number	Diff line number	Diff line change
`@@ -424,12 +424,12 @@ func (m manager) getUserFilter(uid userpb.UserId) string {`
`424`	`424`	`}`
`425`	`425`
`426`	`426`	`func (m *manager) getAttributeFilter(attribute, value string) string {`
`427`		`- attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", attribute)`
`428`		`- return strings.ReplaceAll(attr, "{{value}}", value)`
	`427`	`+ attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", ldap.EscapeFilter(attribute))`
	`428`	`+ return strings.ReplaceAll(attr, "{{value}}", ldap.EscapeFilter(value))`
`429`	`429`	`}`
`430`	`430`
`431`	`431`	`func (m *manager) getFindFilter(query string) string {`
`432`		`- return strings.ReplaceAll(m.c.FindFilter, "{{query}}", query)`
	`432`	`+ return strings.ReplaceAll(m.c.FindFilter, "{{query}}", ldap.EscapeFilter(query))`
`433`	`433`	`}`
`434`	`434`
`435`	`435`	`func (m manager) getGroupFilter(uid userpb.UserId) string {`