From 741f0183e6dda33b7458cc1e897c0a2397c07196 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20P=C3=A9pin?= Date: Thu, 16 Mar 2017 22:43:43 +0000 Subject: [PATCH] Prevent ldap injections in autocompletion views We only allow alphanumeric characters in the query in order to avoid injections --- gestioncof/autocomplete.py | 34 ++++++++++++++++++---------------- kfet/autocomplete.py | 34 ++++++++++++++++++---------------- 2 files changed, 36 insertions(+), 32 deletions(-) diff --git a/gestioncof/autocomplete.py b/gestioncof/autocomplete.py index 1eae6920..65f62fab 100644 --- a/gestioncof/autocomplete.py +++ b/gestioncof/autocomplete.py @@ -56,22 +56,24 @@ def autocomplete(request): # Fetching data from the SPI if hasattr(settings, 'LDAP_SERVER_URL'): # Fetching - ldap_query = '(|{:s})'.format(''.join( - ['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(**{"bit": bit}) - for bit in bits] - )) - with Connection(settings.LDAP_SERVER_URL) as conn: - conn.search( - 'dc=spi,dc=ens,dc=fr', ldap_query, - attributes=['uid', 'cn'] - ) - queries['clippers'] = conn.entries - # Clearing redundancies - queries['clippers'] = [ - Clipper(clipper.uid, clipper.cn) - for clipper in queries['clippers'] - if str(clipper.uid) not in usernames - ] + ldap_query = '(|{:s})'.format(''.join([ + '(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=bit) + for bit in bits if bit.isalnum() + ])) + if ldap_query != "(|)": + # If none of the bits were legal, we do not perform the query + with Connection(settings.LDAP_SERVER_URL) as conn: + conn.search( + 'dc=spi,dc=ens,dc=fr', ldap_query, + attributes=['uid', 'cn'] + ) + queries['clippers'] = conn.entries + # Clearing redundancies + queries['clippers'] = [ + Clipper(clipper.uid, clipper.cn) + for clipper in queries['clippers'] + if str(clipper.uid) not in usernames + ] # Resulting data data.update(queries) diff --git a/kfet/autocomplete.py b/kfet/autocomplete.py index 64fa52cf..3b5e0ab5 100644 --- a/kfet/autocomplete.py +++ b/kfet/autocomplete.py @@ -75,22 +75,24 @@ def account_create(request): # Fetching data from the SPI if hasattr(settings, 'LDAP_SERVER_URL'): # Fetching - ldap_query = '(|{:s})'.format(''.join( - ['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word) - for word in search_words] - )) - with Connection(settings.LDAP_SERVER_URL) as conn: - conn.search( - 'dc=spi,dc=ens,dc=fr', ldap_query, - attributes=['uid', 'cn'] - ) - queries['clippers'] = conn.entries - # Clearing redundancies - queries['clippers'] = [ - Clipper(clipper.uid, clipper.cn) - for clipper in queries['clippers'] - if str(clipper.uid) not in usernames - ] + ldap_query = '(|{:s})'.format(''.join([ + '(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word) + for word in search_words if word.isalnum() + ])) + if ldap_query != "(|)": + # If none of the bits were legal, we do not perform the query + with Connection(settings.LDAP_SERVER_URL) as conn: + conn.search( + 'dc=spi,dc=ens,dc=fr', ldap_query, + attributes=['uid', 'cn'] + ) + queries['clippers'] = conn.entries + # Clearing redundancies + queries['clippers'] = [ + Clipper(clipper.uid, clipper.cn) + for clipper in queries['clippers'] + if str(clipper.uid) not in usernames + ] # Resulting data data.update(queries)