From 77333d619c72936850328a21dba6868afd466f69 Mon Sep 17 00:00:00 2001
From: hsinhoyeh <yhh92u@gmail.com>
Date: Tue, 12 Mar 2024 05:46:11 +0800
Subject: [PATCH] fix: add sanitizer to ldap account and password (#3372)

Signed-off-by: hsinhoyeh <yhh92u@gmail.com>
---
 connector/ldap/ldap.go      |  4 ++++
 connector/ldap/ldap_test.go | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
index c50d8309..f0aa7eff 100644
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -460,6 +460,7 @@ func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.E
 
 func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (ident connector.Identity, validPass bool, err error) {
 	// make this check to avoid unauthenticated bind to the LDAP server.
+
 	if password == "" {
 		return connector.Identity{}, false, nil
 	}
@@ -471,6 +472,9 @@ func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username,
 		user          ldap.Entry
 	)
 
+	username = ldap.EscapeFilter(username)
+	password = ldap.EscapeFilter(password)
+
 	err = c.do(ctx, func(conn *ldap.Conn) error {
 		entry, found, err := c.userEntry(conn, username)
 		if err != nil {
diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go
index 24254dcc..f00f1ead 100644
--- a/connector/ldap/ldap_test.go
+++ b/connector/ldap/ldap_test.go
@@ -83,6 +83,18 @@ func TestQuery(t *testing.T) {
 			password:  "foo",
 			wantBadPW: true, // Want invalid password, not a query error.
 		},
+		{
+			name:      "invalid wildcard username",
+			username:  "a*", // wildcard query is not allowed
+			password:  "foo",
+			wantBadPW: true, // Want invalid password, not a query error.
+		},
+		{
+			name:      "invalid wildcard password",
+			username:  "john",
+			password:  "*",  // wildcard password is not allowed
+			wantBadPW: true, // Want invalid password, not a query error.
+		},
 	}
 
 	runTests(t, connectLDAP, c, tests)
-- 
GitLab