vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make sure to escape LDAP queries

Browse source 
Fixes an issue in team sync around group names that contain *s

Fixes https://www.pivotaltracker.com/story/show/144628235
This commit is contained in:
Joseph Schorr 2017-05-01 14:00:54 -04:00
parent 02c4d75634
commit 30a681343f
2 changed files with 46 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

17
data/users/externalldap.py
View file

@ -3,6 +3,7 @@ import logging
import os
from ldap.controls import SimplePagedResultsControl
from ldap.filter import filter_format, escape_filter_chars
from collections import namedtuple
from data.users.federated import FederatedUsers, UserInformation
@ -109,9 +110,10 @@ class LDAPUsers(FederatedUsers):
referral_dn = referral_uri[len('ldap:///'):]
return referral_dn
def _ldap_user_search_with_rdn(self, conn, username_or_email, user_search_dn):
query = u'(|({0}={2})({1}={2}))'.format(self._uid_attr, self._email_attr,
username_or_email)
def _ldap_user_search_with_rdn(self, conn, username_or_email, user_search_dn, suffix=''):
query = u'(|({0}={2}{3})({1}={2}{3}))'.format(self._uid_attr, self._email_attr,
escape_filter_chars(username_or_email),
suffix)
logger.debug('Conducting user search: %s under %s', query, user_search_dn)
try:
return (conn.search_s(user_search_dn, ldap.SCOPE_SUBTREE, query.encode('utf-8')), None)
@ -131,7 +133,7 @@ class LDAPUsers(FederatedUsers):
logger.debug('LDAP search exception')
return (None, 'Username not found')
def _ldap_user_search(self, username_or_email, limit=20):
def _ldap_user_search(self, username_or_email, limit=20, suffix=''):
if not username_or_email:
return (None, 'Empty username/email')
@ -147,7 +149,8 @@ class LDAPUsers(FederatedUsers):
logger.debug('Incoming username or email param: %s', username_or_email.__repr__())
for user_search_dn in self._user_dns:
(pairs, err_msg) = self._ldap_user_search_with_rdn(conn, username_or_email, user_search_dn)
(pairs, err_msg) = self._ldap_user_search_with_rdn(conn, username_or_email, user_search_dn,
suffix=suffix)
if pairs is not None and len(pairs) > 0:
break
@ -207,7 +210,7 @@ class LDAPUsers(FederatedUsers):
return (None, self.federated_service, 'Empty query')
logger.debug('Got query %s with limit %s', query, limit)
(results, err_msg) = self._ldap_user_search(query + '*', limit=limit)
(results, err_msg) = self._ldap_user_search(query, limit=limit, suffix='*')
if err_msg is not None:
return (None, self.federated_service, err_msg)
@ -296,7 +299,7 @@ class LDAPUsers(FederatedUsers):
lc = ldap.controls.libldap.SimplePagedResultsControl(criticality=True, size=page_size,
cookie='')
search_flt = '(memberOf=%s,%s)' % (group_dn, self._base_dn)
search_flt = filter_format('(memberOf=%s,%s)', (group_dn, self._base_dn))
attributes = [self._uid_attr, self._email_attr]
for user_search_dn in self._user_dns: