asf-tooling opened a new issue, #987:
URL: https://github.com/apache/tooling-trusted-releases/issues/987
**ASVS Level(s):** [L1, L2]
**Description:**
### Summary
Multiple LDAP account lookup methods construct LDAP search filters by
directly interpolating the uid parameter without validation or escaping. In
`asfpy/ldapadmin.py`, the `manager.load_account()` method lacks UID validation
despite `LDAP_VALID_UID_RE` being defined and used in other methods. In
`atr/principal.py`, the `_get_project_memberships()` method uses string
interpolation without `escape_filter_chars()`. This creates an inconsistency
where the protection control exists but is not applied uniformly. Allows LDAP
filter manipulation, information disclosure, potential
authentication/authorization bypass, and enumeration attacks via wildcard and
partial match queries.
### Details
**Affected Files and Lines:**
- `asfpy/ldapadmin.py:186` - load_account without validation
- `atr/principal.py:142` - _get_project_memberships without escaping
The validation and escaping controls exist but are not applied consistently
across all LDAP query construction points.
### Recommended Remediation
Apply defense-in-depth by enforcing validation at the method boundary:
```python
# In asfpy/ldapadmin.py load_account()
if not LDAP_VALID_UID_RE.match(uid):
raise ValueError(f"Invalid UID format: {uid}")
# In atr/principal.py _get_project_memberships()
from ldap.filter import escape_filter_chars
escaped_uid = escape_filter_chars(asf_uid)
filter_str = f"(&(objectClass=posixGroup)(memberUid={escaped_uid}))"
```
Add `LDAP_VALID_UID_RE` validation to `load_account()` method consistent
with other methods in the file. Apply both allowlist validation (Layer 1) and
LDAP filter escaping using `ldap.filter.escape_filter_chars()` or
`ldap3.utils.conv.escape_filter_chars()` (Layer 2) for defense-in-depth. In
`principal.py`, add `escape_filter_chars()` at the point of filter construction
despite upstream regex validation.
### Acceptance Criteria
- [ ] UID validation added to load_account()
- [ ] Filter escaping added to _get_project_memberships()
- [ ] Defense-in-depth applied
- [ ] Consistency across LDAP operations
- [ ] Integration test verifies protection
- [ ] Unit test verifying the fix
### References
- Source reports: L1:1.2.4.md, L2:1.2.6.md, L2:1.3.8.md
- Related findings: FINDING-210
- ASVS sections: 1.2.4, 1.2.6, 1.3.8
### Priority
Medium
---
---
**Triage notes:** cross-post to asfpy also
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
