fix: LDAP search injection (#16942)

Co-authored-by: wangruidong <940853815@qq.com>
Co-authored-by: wrd <w940853815@gmail.com>
This commit is contained in:
fit2bot
2026-07-01 18:13:36 +08:00
committed by GitHub
parent 63e80b736e
commit 86cd9df449

View File

@@ -6,30 +6,34 @@ import os
from collections import defaultdict
from copy import deepcopy
from authentication.backends.ldap import (
LDAPAuthorizationBackend,
LDAPHAAuthorizationBackend,
LDAPUser,
)
from common.const import LDAP_AD_ACCOUNT_DISABLE
from common.db.utils import close_old_connections
from common.utils import get_logger, timeit
from common.utils.http import is_true
from django.conf import settings
from django.core.cache import cache
from django.utils.translation import gettext_lazy as _
from ldap3 import Server, Connection, SIMPLE, Tls
from ldap3 import SIMPLE, Connection, Server
from ldap3.core.exceptions import (
LDAPAttributeError,
LDAPBindError,
LDAPConfigurationError,
LDAPExceptionError,
LDAPInvalidDnError,
LDAPInvalidFilterError,
LDAPInvalidServerError,
LDAPPasswordIsMandatoryError,
LDAPSessionTerminatedByServerError,
LDAPSocketOpenError,
LDAPSocketReceiveError,
LDAPSessionTerminatedByServerError,
LDAPUserNameIsMandatoryError,
LDAPPasswordIsMandatoryError,
LDAPInvalidDnError,
LDAPInvalidServerError,
LDAPBindError,
LDAPInvalidFilterError,
LDAPExceptionError,
LDAPConfigurationError,
LDAPAttributeError,
)
from settings.ldap_tls import LDAPTLSUtil
from common.const import LDAP_AD_ACCOUNT_DISABLE
from common.db.utils import close_old_connections
from common.utils import timeit, get_logger
from common.utils.http import is_true
from ldap3.utils.conv import escape_filter_chars
from orgs.utils import tmp_to_org
from settings.const import ImportStatus
from users.models import User, UserGroup
@@ -161,11 +165,14 @@ class LDAPServerUtil(object):
if self.search_users:
mapping_username = self.config.attr_map.get('username')
for user in self.search_users:
extra += '({}={})'.format(mapping_username, user)
extra += '({}={})'.format(
mapping_username, escape_filter_chars(user)
)
return '(|{})'.format(extra)
if self.search_value:
escaped_search_value = escape_filter_chars(self.search_value)
for attr in self.config.attr_map.values():
extra += '({}={})'.format(attr, '*{}*'.format(self.search_value))
extra += '({}={})'.format(attr, '*{}*'.format(escaped_search_value))
return '(|{})'.format(extra)
return extra