This is an automated email from the ASF dual-hosted git repository.
chufenggao pushed a commit to branch 3.0.2-prepare
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git
The following commit(s) were added to refs/heads/3.0.2-prepare by this push:
new 75f7f979c1 Fix vulnerability in LDAP login (#11586) (#12730)
75f7f979c1 is described below
commit 75f7f979c15e04eaa7e446dcfc6a76ec779bf111
Author: Eric Gao <[email protected]>
AuthorDate: Sat Nov 5 23:16:19 2022 +0800
Fix vulnerability in LDAP login (#11586) (#12730)
Co-authored-by: kezhenxu94 <[email protected]>
---
dolphinscheduler-api/pom.xml | 7 +++++++
.../dolphinscheduler/api/security/impl/ldap/LdapService.java | 9 +++++----
tools/dependencies/known-dependencies.txt | 1 +
3 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/dolphinscheduler-api/pom.xml b/dolphinscheduler-api/pom.xml
index 75122e8df9..df58a777b9 100644
--- a/dolphinscheduler-api/pom.xml
+++ b/dolphinscheduler-api/pom.xml
@@ -280,6 +280,13 @@
<groupId>net.sf.py4j</groupId>
<artifactId>py4j</artifactId>
</dependency>
+
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-ldap</artifactId>
+ <version>1.1.2</version>
+ </dependency>
+
</dependencies>
<build>
diff --git
a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
index dd2123bd1c..15514a766f 100644
---
a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
+++
b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
@@ -35,11 +35,13 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
+import org.springframework.ldap.support.filter.EqualsFilter;
import org.springframework.stereotype.Component;
@Component
@Configuration
public class LdapService {
+
private static final Logger logger =
LoggerFactory.getLogger(LdapService.class);
@Value("${security.authentication.ldap.user.admin:#{null}}")
@@ -87,15 +89,14 @@ public class LdapService {
SearchControls sc = new SearchControls();
sc.setReturningAttributes(new String[]{ldapEmailAttribute});
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
- String searchFilter = String.format("(%s=%s)",
ldapUserIdentifyingAttribute, userId);
- //Search for the user you want to authenticate, search him with
some attribute
- NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn,
searchFilter, sc);
+ EqualsFilter filter = new
EqualsFilter(ldapUserIdentifyingAttribute, userId);
+ NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn,
filter.toString(), sc);
if (results.hasMore()) {
// get the users DN (distinguishedName) from the result
SearchResult result = results.next();
NamingEnumeration attrs = result.getAttributes().getAll();
while (attrs.hasMore()) {
- //Open another connection to the LDAP server with the
found DN and the password
+ // Open another connection to the LDAP server with the
found DN and the password
searchEnv.put(Context.SECURITY_PRINCIPAL,
result.getNameInNamespace());
searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd);
try {
diff --git a/tools/dependencies/known-dependencies.txt
b/tools/dependencies/known-dependencies.txt
index 1e35f78b75..8b5564d057 100755
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -228,6 +228,7 @@ springfox-spring-web-2.9.2.jar
springfox-swagger-common-2.9.2.jar
springfox-swagger-ui-2.9.2.jar
springfox-swagger2-2.9.2.jar
+spring-ldap-1.1.2.jar
swagger-annotations-1.5.20.jar
swagger-bootstrap-ui-1.9.3.jar
swagger-models-1.5.24.jar
