fix(security): escape LDAP filter inputs to prevent filter injection (CWE-90)
Use ldap.EscapeFilter() on all user-controlled inputs before interpolating them into LDAP search filter strings in SearchDN and SearchMailAlias. Prevents authentication bypass via filter manipulation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
121770c18a
commit
10f41e4ef8
1 changed files with 2 additions and 2 deletions
4
ldap.go
4
ldap.go
|
|
@ -74,7 +74,7 @@ func (l LDAPConn) SearchDN(username string, person bool) (string, error) {
|
|||
searchRequest := ldap.NewSearchRequest(
|
||||
l.BaseDN,
|
||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||
fmt.Sprintf("(&(objectClass=%s)(uid=%s))", objectClass, username),
|
||||
fmt.Sprintf("(&(objectClass=%s)(uid=%s))", ldap.EscapeFilter(objectClass), ldap.EscapeFilter(username)),
|
||||
[]string{"dn"},
|
||||
nil,
|
||||
)
|
||||
|
|
@ -147,7 +147,7 @@ func (l LDAPConn) SearchMailAlias(address string) (int, error) {
|
|||
searchRequest := ldap.NewSearchRequest(
|
||||
l.BaseDN,
|
||||
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
|
||||
fmt.Sprintf("(&(objectClass=*)(mailAlias=%s))", address),
|
||||
fmt.Sprintf("(&(objectClass=*)(mailAlias=%s))", ldap.EscapeFilter(address)),
|
||||
[]string{"dn"},
|
||||
nil,
|
||||
)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue