[dolphinscheduler] 01/01: Fix vulnerability in LDAP login

kezhenxu94 Sun, 21 Aug 2022 20:47:51 -0700

This is an automated email from the ASF dual-hosted git repository.

kezhenxu94 pushed a commit to branch bugfix/ldap
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git


commit 001ca807e14709b737dfc5e2dd7314096083d9a8
Author: kezhenxu94 <[email protected]>
AuthorDate: Mon Aug 22 11:47:29 2022 +0800

    Fix vulnerability in LDAP login
---
 dolphinscheduler-api/pom.xml                               |  5 +++++
 .../api/security/impl/ldap/LdapService.java                | 14 ++++++++------
 dolphinscheduler-bom/pom.xml                               |  6 ++++++
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/dolphinscheduler-api/pom.xml b/dolphinscheduler-api/pom.xml
index d3ffc0a772..74de5d9b1f 100644
--- a/dolphinscheduler-api/pom.xml
+++ b/dolphinscheduler-api/pom.xml
@@ -176,6 +176,11 @@
             <artifactId>py4j</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-ldap</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
diff --git 
a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
 
b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
index 8a7dd5a784..1cca542aab 100644
--- 
a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
+++ 
b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
@@ -38,11 +38,13 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.ldap.support.filter.EqualsFilter;
 import org.springframework.stereotype.Component;
 
 @Component
 @Configuration
 public class LdapService {
+
     private static final Logger logger = 
LoggerFactory.getLogger(LdapService.class);
 
     @Value("${security.authentication.ldap.user.admin:#{null}}")
@@ -89,20 +91,19 @@ public class LdapService {
         Properties searchEnv = getManagerLdapEnv();
         LdapContext ctx = null;
         try {
-            //Connect to the LDAP server and Authenticate with a service user 
of whom we know the DN and credentials
+            // Connect to the LDAP server and Authenticate with a service user 
of whom we know the DN and credentials
             ctx = new InitialLdapContext(searchEnv, null);
             SearchControls sc = new SearchControls();
             sc.setReturningAttributes(new String[]{ldapEmailAttribute});
             sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
-            String searchFilter = String.format("(%s=%s)", 
ldapUserIdentifyingAttribute, userId);
-            //Search for the user you want to authenticate, search him with 
some attribute
-            NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, 
searchFilter, sc);
+            EqualsFilter filter = new 
EqualsFilter(ldapUserIdentifyingAttribute, userId);
+            NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, 
filter.toString(), sc);
             if (results.hasMore()) {
                 // get the users DN (distinguishedName) from the result
                 SearchResult result = results.next();
                 NamingEnumeration<? extends Attribute> attrs = 
result.getAttributes().getAll();
                 while (attrs.hasMore()) {
-                    //Open another connection to the LDAP server with the 
found DN and the password
+                    // Open another connection to the LDAP server with the 
found DN and the password
                     searchEnv.put(Context.SECURITY_PRINCIPAL, 
result.getNameInNamespace());
                     searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd);
                     try {
@@ -149,7 +150,8 @@ public class LdapService {
 
     public LdapUserNotExistActionType getLdapUserNotExistAction() {
         if (StringUtils.isBlank(ldapUserNotExistAction)) {
-            logger.info("security.authentication.ldap.user.not.exist.action 
configuration is empty, the default value 'CREATE'");
+            logger.info(
+                    "security.authentication.ldap.user.not.exist.action 
configuration is empty, the default value 'CREATE'");
             return LdapUserNotExistActionType.CREATE;
         }
 
diff --git a/dolphinscheduler-bom/pom.xml b/dolphinscheduler-bom/pom.xml
index 1ce13f6d9a..0599d5510e 100644
--- a/dolphinscheduler-bom/pom.xml
+++ b/dolphinscheduler-bom/pom.xml
@@ -609,6 +609,12 @@
                 <!-- TODO: remove this dependency management after removing 
powermock -->
                 <scope>test</scope>
             </dependency>
+
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-ldap</artifactId>
+                <version>1.1.2</version>
+            </dependency>
         </dependencies>
 
     </dependencyManagement>

[dolphinscheduler] 01/01: Fix vulnerability in LDAP login

Reply via email to