Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-30 06:08:48 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Security Fix 10: LDAP filter injection in LDAP auth.

Browse source 
Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
This commit is contained in:
Lauri Ojansivu 2025-12-29 17:13:32 +02:00
parent 1d16955b6d
commit 0b0e16c3ea
1 changed files with 13 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

18
packages/wekan-ldap/server/ldap.js
View file

@ -208,7 +208,9 @@ export default class LDAP {
}
}
const usernameFilter = this.options.User_Search_Field.split(',').map((item) => `(${item}=${username})`);
// Escape the username to prevent LDAP injection
const escapedUsername = escapedToHex(username);
const usernameFilter = this.options.User_Search_Field.split(',').map((item) => `(${item}=${escapedUsername})`);
if (usernameFilter.length === 0) {
Log.error('LDAP_LDAP_User_Search_Field not defined');
@ -234,11 +236,13 @@ export default class LDAP {
/* if SimpleAuth is configured, the BaseDN is not needed */
if (!this.options.BaseDN && !this.options.AD_Simple_Auth) throw new Error('BaseDN is not provided');
// Escape the username to prevent LDAP injection in DN construction
const escapedUsername = escapedToHex(username);
var userDn = "";
if (this.options.AD_Simple_Auth === true || this.options.AD_Simple_Auth === 'true') {
userDn = `${username}@${this.options.Default_Domain}`;
userDn = `${escapedUsername}@${this.options.Default_Domain}`;
} else {
userDn = `${this.options.User_Authentication_Field}=${username},${this.options.BaseDN}`;
userDn = `${this.options.User_Authentication_Field}=${escapedUsername},${this.options.BaseDN}`;
}
Log.info(`Binding with User ${userDn}`);
@ -381,8 +385,10 @@ export default class LDAP {
filter.push(')');
// Escape the username to prevent LDAP injection
const escapedUsername = escapedToHex(username);
const searchOptions = {
filter: filter.join('').replace(/#{username}/g, username).replace("\\", "\\\\"),
filter: filter.join('').replace(/#{username}/g, escapedUsername).replace("\\", "\\\\"),
scope : 'sub',
};
@ -429,8 +435,10 @@ export default class LDAP {
}
filter.push(')');
// Escape the username to prevent LDAP injection
const escapedUsername = escapedToHex(username);
const searchOptions = {
filter: filter.join('').replace(/#{username}/g, username).replace("\\", "\\\\"),
filter: filter.join('').replace(/#{username}/g, escapedUsername).replace("\\", "\\\\"),
scope : 'sub',
};