Fix vulnerability in LDAP login (#11586)

2 years ago · 17a9dd25fa
4 changed files with 20 additions and 6 deletions
--- a/dolphinscheduler-api/pom.xml
+++ b/dolphinscheduler-api/pom.xml
@ -176,6 +176,11 @@
            <artifactId>py4j</artifactId>
        </dependency>

+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-ldap</artifactId>
+        </dependency>
+
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
--- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
+++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
@ -38,11 +38,13 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.ldap.support.filter.EqualsFilter;
 import org.springframework.stereotype.Component;

@Component
@Configuration
 public class LdapService {
+
    private static final Logger logger = LoggerFactory.getLogger(LdapService.class);

    @Value("${security.authentication.ldap.user.admin:#{null}}")
@ -94,9 +96,8 @@ public class LdapService {
            SearchControls sc = new SearchControls();
            sc.setReturningAttributes(new String[]{ldapEmailAttribute});
            sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
-            String searchFilter = String.format("(%s=%s)", ldapUserIdentifyingAttribute, userId);
-            //Search for the user you want to authenticate, search him with some attribute
-            NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, searchFilter, sc);
+            EqualsFilter filter = new EqualsFilter(ldapUserIdentifyingAttribute, userId);
+            NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, filter.toString(), sc);
            if (results.hasMore()) {
                // get the users DN (distinguishedName) from the result
                SearchResult result = results.next();
@ -149,7 +150,8 @@ public class LdapService {

    public LdapUserNotExistActionType getLdapUserNotExistAction() {
        if (StringUtils.isBlank(ldapUserNotExistAction)) {
-            logger.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
+            logger.info(
+                    "security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
            return LdapUserNotExistActionType.CREATE;
        }

--- a/dolphinscheduler-bom/pom.xml
+++ b/dolphinscheduler-bom/pom.xml
@ -609,6 +609,12 @@
                <!-- TODO: remove this dependency management after removing powermock -->
                <scope>test</scope>
            </dependency>
+
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-ldap</artifactId>
+                <version>1.1.2</version>
+            </dependency>
        </dependencies>

    </dependencyManagement>
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@ -251,6 +251,7 @@ spring-core-5.3.19.jar
 spring-expression-5.3.22.jar
 spring-jcl-5.3.22.jar
 spring-jdbc-5.3.19.jar
+spring-ldap-1.1.2.jar
 spring-plugin-core-2.0.0.RELEASE.jar
 spring-plugin-metadata-2.0.0.RELEASE.jar
 spring-tx-5.3.19.jar