Browse Source

Fix vulnerability in LDAP login (#11586)

3.1.0-release
kezhenxu94 2 years ago committed by GitHub
parent
commit
17a9dd25fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 5
      dolphinscheduler-api/pom.xml
  2. 10
      dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
  3. 6
      dolphinscheduler-bom/pom.xml
  4. 1
      tools/dependencies/known-dependencies.txt

5
dolphinscheduler-api/pom.xml

@ -176,6 +176,11 @@
<artifactId>py4j</artifactId> <artifactId>py4j</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-ldap</artifactId>
</dependency>
<dependency> <dependency>
<groupId>com.h2database</groupId> <groupId>com.h2database</groupId>
<artifactId>h2</artifactId> <artifactId>h2</artifactId>

10
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java

@ -38,11 +38,13 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.ldap.support.filter.EqualsFilter;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
@Component @Component
@Configuration @Configuration
public class LdapService { public class LdapService {
private static final Logger logger = LoggerFactory.getLogger(LdapService.class); private static final Logger logger = LoggerFactory.getLogger(LdapService.class);
@Value("${security.authentication.ldap.user.admin:#{null}}") @Value("${security.authentication.ldap.user.admin:#{null}}")
@ -94,9 +96,8 @@ public class LdapService {
SearchControls sc = new SearchControls(); SearchControls sc = new SearchControls();
sc.setReturningAttributes(new String[]{ldapEmailAttribute}); sc.setReturningAttributes(new String[]{ldapEmailAttribute});
sc.setSearchScope(SearchControls.SUBTREE_SCOPE); sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = String.format("(%s=%s)", ldapUserIdentifyingAttribute, userId); EqualsFilter filter = new EqualsFilter(ldapUserIdentifyingAttribute, userId);
//Search for the user you want to authenticate, search him with some attribute NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, filter.toString(), sc);
NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, searchFilter, sc);
if (results.hasMore()) { if (results.hasMore()) {
// get the users DN (distinguishedName) from the result // get the users DN (distinguishedName) from the result
SearchResult result = results.next(); SearchResult result = results.next();
@ -149,7 +150,8 @@ public class LdapService {
public LdapUserNotExistActionType getLdapUserNotExistAction() { public LdapUserNotExistActionType getLdapUserNotExistAction() {
if (StringUtils.isBlank(ldapUserNotExistAction)) { if (StringUtils.isBlank(ldapUserNotExistAction)) {
logger.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'"); logger.info(
"security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
return LdapUserNotExistActionType.CREATE; return LdapUserNotExistActionType.CREATE;
} }

6
dolphinscheduler-bom/pom.xml

@ -609,6 +609,12 @@
<!-- TODO: remove this dependency management after removing powermock --> <!-- TODO: remove this dependency management after removing powermock -->
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-ldap</artifactId>
<version>1.1.2</version>
</dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>

1
tools/dependencies/known-dependencies.txt

@ -251,6 +251,7 @@ spring-core-5.3.19.jar
spring-expression-5.3.22.jar spring-expression-5.3.22.jar
spring-jcl-5.3.22.jar spring-jcl-5.3.22.jar
spring-jdbc-5.3.19.jar spring-jdbc-5.3.19.jar
spring-ldap-1.1.2.jar
spring-plugin-core-2.0.0.RELEASE.jar spring-plugin-core-2.0.0.RELEASE.jar
spring-plugin-metadata-2.0.0.RELEASE.jar spring-plugin-metadata-2.0.0.RELEASE.jar
spring-tx-5.3.19.jar spring-tx-5.3.19.jar

Loading…
Cancel
Save