I think the issue is that the findPermission method in PermDAO is not calling the encodeSafeText method before adding the role name to the filter
https://github.com/apache/directory-fortress-core/blob/master/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java#L1906 ----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Thursday, February 9, 2017 3:23:22 PM Subject: Re: Filter Escapes this is the method I am talking about that encodes filters on behalf of fortress searches: /** * Perform encoding on supplied input string for certain unsafe ascii characters. These chars may be unsafe * because ldap reserves some characters as operands. Safe encoding safeguards from malicious scripting input errors * that are possible if data filtering did not get performed before being passed into dao layer. * * @param filter contains the data to filter. * @return possibly modified input string for matched characters. */ protected String escapeLDAPSearchFilter( String filter ) { obviously for this to work you would have to encode the value of the role name when the entity is created. Seems like a lot of complexity to allow a that character in the field name, but again I’ll let you decide if its worthwhile. Shawn > On Feb 9, 2017, at 1:59 PM, Shawn McKinney <[email protected]> wrote: > > Chris as I’m sure you know, parenthesis are used by ldap search filters to > establish precedence of operations. You can look into encoding the value of > the role name. I’m surprised it isn’t already as passing unencoded strings > into ldap is considered a security vulnerability, and many of the values > passed into ldap are encoded. > > My view is role names probably shouldn’t have parenthesis in the names but I > don’t have strong enough feelings to discourage its use by others. That is > to say if you have good reasons for doing it, you should be able to encode > that value prior to storing / searching for it. > > Shawn > >> On Feb 9, 2017, at 1:20 PM, Chris Pike <[email protected]> wrote: >> >> It's an LdapProtocolErrorException, the offending role name is something >> like "Test Role (development)" and the error printed looks something like >> >> org.apache.directory.api.ldap.model.exception.LdapProtocolErrorException: >> The filter (&(objectClass=ftOperation)(|(ftUsers=userId)(ftRoles=Test Role >> (development)))) is invalid >> >> >> >> >> ----- Original Message ----- >> From: "Emmanuel Lécharny" <[email protected]> >> To: [email protected] >> Sent: Thursday, February 9, 2017 5:11:33 AM >> Subject: Re: Filter Escapes >> >> Le 09/02/2017 à 01:59, Shawn McKinney a écrit : >>>> On Feb 8, 2017, at 8:01 AM, Chris Pike <[email protected]> wrote: >>>> >>>> Ran into an issue yesterday where a role name had parenthesis in the name, >>>> and this messed up the fortress ldap filter when getting permissions for a >>>> user through the access manager. It appears filter params aren't being >>>> property escaped. Not sure if it is specific to this case or is present in >>>> other places as well. Thoughts? >>> Hi Chris, >>> >>> what is the error you receive? >> >> In any case, you have two ways to build a filter : >> - use a String, and parse it >> - use the LDAP API filter Node elements (like EqualityNode), and get the >> resulting String >> >> In the first case, each Filter element's value has to be encoded so that >> it's not going to interact with the filtre structure (ie, every '(' and >> ')' have to be escaped, and a few more chars too). >> >> This can be done using FilterEncoder.encodeFilterValue( String value ) >> static method, which returns an encoded value. >> >> For instance, if you want to create a filter for a equality on the 'cn' >> AttributeType, with a value of "ACME(tm)", which resulting filter is >> "(cn=ACME\\28tm\\29)", do that : >> >> String filterStr = String.format( "(%s=%s)", "cn", >> FilterEncoder.encodeFilterValue( "ACME(tm)" ) ); >> >> or >> >> String filterStr = new EqualityNode<>( "cn", new StringValue( >> "ACME(tm)" ) ).toString(); >> >> >> Both resulting filterStr will be valid (ie the "(cn=ACME\\28tm\\29)" >> String ) >> >> >> -- >> Emmanuel Lecharny >> >> Symas.com >> directory.apache.org >
