Query inject attack / security vulnerability

Question

Query inject attack / security vulnerability

valodzka opened this issue 3 years ago · 5 comments

Using simple python formatting for X-Ldap-Template and user input opens the door to ldap query injection attacks. For example:

X-Ldap-Template: (|(&(memberOf=x)(cn=%(username)s))(&(memberOf=y)(cn=%(username)s)))

Then passing username: x))((cn=username bypass group check.

Answer 1 · 2022-02-03T08:53:20.000Z

This might help to improve the implementation: https://rules.sonarsource.com/python/RSPEC-2078
Until the code is improved, if I'm not mistaken, using a Query like this should improve the situation:
X-Ldap-Template: (&(cn=%(username)s)(|(memberOf=x)(memberOf=y)))

Answer 2 · 2022-04-12T10:21:06.000Z

Thanks! Addressed with 763f23b

For future reference, please direct security issues to security-alerts@nginx.org

Answer 3 · 2022-04-12T15:26:02.000Z

I don't understand how that commit addresses the issue.

Will there be a release tag with this included?

Answer 4 · 2022-04-12T19:22:24.000Z

I also don't see how it was fixed.

Answer 5 · 2022-04-15T13:45:42.000Z

Also emails returns:

450 4.1.1 <[security-alerts@nginx.org](mailto:security-alerts@nginx.org)>: Recipient address rejected: User unknown in virtual mailbox table