github
/
DolphinScheduler
mirror of https://gitee.com/dolphinscheduler/DolphinScheduler.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Fix vulnerability in LDAP login (#11586)

3.1.0-release
kezhenxu94 2 years ago committed by GitHub
parent
5813a61f09
commit
17a9dd25fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      dolphinscheduler-api/pom.xml
  2. 14
      dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
  3. 6
      dolphinscheduler-bom/pom.xml
  4. 1
      tools/dependencies/known-dependencies.txt

5
dolphinscheduler-api/pom.xml
Unescape View File

@ -176,6 +176,11 @@
<artifactId>py4j</artifactId> <artifactId>py4j</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-ldap</artifactId>
</dependency>
<dependency> <dependency>
<groupId>com.h2database</groupId> <groupId>com.h2database</groupId>
<artifactId>h2</artifactId> <artifactId>h2</artifactId>

14
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
Unescape View File

@ -38,11 +38,13 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.ldap.support.filter.EqualsFilter;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
@Component @Component
@Configuration @Configuration
public class LdapService { public class LdapService {
private static final Logger logger = LoggerFactory.getLogger(LdapService.class); private static final Logger logger = LoggerFactory.getLogger(LdapService.class);
@Value("${security.authentication.ldap.user.admin:#{null}}") @Value("${security.authentication.ldap.user.admin:#{null}}")
@ -89,20 +91,19 @@ public class LdapService {
Properties searchEnv = getManagerLdapEnv(); Properties searchEnv = getManagerLdapEnv();
LdapContext ctx = null; LdapContext ctx = null;
try { try {
//Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials // Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials
ctx = new InitialLdapContext(searchEnv, null); ctx = new InitialLdapContext(searchEnv, null);
SearchControls sc = new SearchControls(); SearchControls sc = new SearchControls();
sc.setReturningAttributes(new String[]{ldapEmailAttribute}); sc.setReturningAttributes(new String[]{ldapEmailAttribute});
sc.setSearchScope(SearchControls.SUBTREE_SCOPE); sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = String.format("(%s=%s)", ldapUserIdentifyingAttribute, userId); EqualsFilter filter = new EqualsFilter(ldapUserIdentifyingAttribute, userId);
//Search for the user you want to authenticate, search him with some attribute NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, filter.toString(), sc);
NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, searchFilter, sc);
if (results.hasMore()) { if (results.hasMore()) {
// get the users DN (distinguishedName) from the result // get the users DN (distinguishedName) from the result
SearchResult result = results.next(); SearchResult result = results.next();
NamingEnumeration<? extends Attribute> attrs = result.getAttributes().getAll(); NamingEnumeration<? extends Attribute> attrs = result.getAttributes().getAll();
while (attrs.hasMore()) { while (attrs.hasMore()) {
//Open another connection to the LDAP server with the found DN and the password // Open another connection to the LDAP server with the found DN and the password
searchEnv.put(Context.SECURITY_PRINCIPAL, result.getNameInNamespace()); searchEnv.put(Context.SECURITY_PRINCIPAL, result.getNameInNamespace());
searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd); searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd);
try { try {
@ -149,7 +150,8 @@ public class LdapService {
public LdapUserNotExistActionType getLdapUserNotExistAction() { public LdapUserNotExistActionType getLdapUserNotExistAction() {
if (StringUtils.isBlank(ldapUserNotExistAction)) { if (StringUtils.isBlank(ldapUserNotExistAction)) {
logger.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'"); logger.info(
"security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
return LdapUserNotExistActionType.CREATE; return LdapUserNotExistActionType.CREATE;
} }

6
dolphinscheduler-bom/pom.xml
Unescape View File

@ -609,6 +609,12 @@
<!-- TODO: remove this dependency management after removing powermock --> <!-- TODO: remove this dependency management after removing powermock -->
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-ldap</artifactId>
<version>1.1.2</version>
</dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>

1
tools/dependencies/known-dependencies.txt
Unescape View File

@ -251,6 +251,7 @@ spring-core-5.3.19.jar
spring-expression-5.3.22.jar spring-expression-5.3.22.jar
spring-jcl-5.3.22.jar spring-jcl-5.3.22.jar
spring-jdbc-5.3.19.jar spring-jdbc-5.3.19.jar
spring-ldap-1.1.2.jar
spring-plugin-core-2.0.0.RELEASE.jar spring-plugin-core-2.0.0.RELEASE.jar
spring-plugin-metadata-2.0.0.RELEASE.jar spring-plugin-metadata-2.0.0.RELEASE.jar
spring-tx-5.3.19.jar spring-tx-5.3.19.jar

Write Preview
Loading…
Cancel
Save