From 17a9dd25fa0e80b048394f79db130f56eb8ef72f Mon Sep 17 00:00:00 2001 From: kezhenxu94 Date: Mon, 22 Aug 2022 13:49:14 +0800 Subject: [PATCH] Fix vulnerability in LDAP login (#11586) --- dolphinscheduler-api/pom.xml | 5 +++++ .../api/security/impl/ldap/LdapService.java | 14 ++++++++------ dolphinscheduler-bom/pom.xml | 6 ++++++ tools/dependencies/known-dependencies.txt | 1 + 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/dolphinscheduler-api/pom.xml b/dolphinscheduler-api/pom.xml index d3ffc0a772..74de5d9b1f 100644 --- a/dolphinscheduler-api/pom.xml +++ b/dolphinscheduler-api/pom.xml @@ -176,6 +176,11 @@ py4j + + org.springframework + spring-ldap + + com.h2database h2 diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java index 8a7dd5a784..1cca542aab 100644 --- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java +++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java @@ -38,11 +38,13 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Configuration; +import org.springframework.ldap.support.filter.EqualsFilter; import org.springframework.stereotype.Component; @Component @Configuration public class LdapService { + private static final Logger logger = LoggerFactory.getLogger(LdapService.class); @Value("${security.authentication.ldap.user.admin:#{null}}") @@ -89,20 +91,19 @@ public class LdapService { Properties searchEnv = getManagerLdapEnv(); LdapContext ctx = null; try { - //Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials + // Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials ctx = new InitialLdapContext(searchEnv, null); SearchControls sc = new SearchControls(); sc.setReturningAttributes(new String[]{ldapEmailAttribute}); sc.setSearchScope(SearchControls.SUBTREE_SCOPE); - String searchFilter = String.format("(%s=%s)", ldapUserIdentifyingAttribute, userId); - //Search for the user you want to authenticate, search him with some attribute - NamingEnumeration results = ctx.search(ldapBaseDn, searchFilter, sc); + EqualsFilter filter = new EqualsFilter(ldapUserIdentifyingAttribute, userId); + NamingEnumeration results = ctx.search(ldapBaseDn, filter.toString(), sc); if (results.hasMore()) { // get the users DN (distinguishedName) from the result SearchResult result = results.next(); NamingEnumeration attrs = result.getAttributes().getAll(); while (attrs.hasMore()) { - //Open another connection to the LDAP server with the found DN and the password + // Open another connection to the LDAP server with the found DN and the password searchEnv.put(Context.SECURITY_PRINCIPAL, result.getNameInNamespace()); searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd); try { @@ -149,7 +150,8 @@ public class LdapService { public LdapUserNotExistActionType getLdapUserNotExistAction() { if (StringUtils.isBlank(ldapUserNotExistAction)) { - logger.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'"); + logger.info( + "security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'"); return LdapUserNotExistActionType.CREATE; } diff --git a/dolphinscheduler-bom/pom.xml b/dolphinscheduler-bom/pom.xml index 1ce13f6d9a..0599d5510e 100644 --- a/dolphinscheduler-bom/pom.xml +++ b/dolphinscheduler-bom/pom.xml @@ -609,6 +609,12 @@ test + + + org.springframework + spring-ldap + 1.1.2 + diff --git a/tools/dependencies/known-dependencies.txt b/tools/dependencies/known-dependencies.txt index 4487231d5b..b28957fd7a 100755 --- a/tools/dependencies/known-dependencies.txt +++ b/tools/dependencies/known-dependencies.txt @@ -251,6 +251,7 @@ spring-core-5.3.19.jar spring-expression-5.3.22.jar spring-jcl-5.3.22.jar spring-jdbc-5.3.19.jar +spring-ldap-1.1.2.jar spring-plugin-core-2.0.0.RELEASE.jar spring-plugin-metadata-2.0.0.RELEASE.jar spring-tx-5.3.19.jar