Merge branch 'hotfix/prevent_ldap_injection' into 'master'

Hotfix/prevent ldap injection Closes #150 See merge request !188
2017-03-20 23:06:59 +01:00 · 2017-03-20 23:06:59 +01:00 · ae38b5d1e7
commit ae38b5d1e7
parent a057869d77 59f57793ba
8 changed files with 52 additions and 35 deletions
--- a/gestioncof/autocomplete.py
+++ b/gestioncof/autocomplete.py
@ -56,10 +56,12 @@ def autocomplete(request):
    # Fetching data from the SPI
    if hasattr(settings, 'LDAP_SERVER_URL'):
        # Fetching
-        ldap_query = '(|{:s})'.format(''.join(
-            ['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(**{"bit": bit})
-             for bit in bits]
+        ldap_query = '(&{:s})'.format(''.join(
+            '(|(cn=*{bit:s}*)(uid=*{bit:s}*))'.format(bit=bit)
+            for bit in bits if bit.isalnum()
        ))
+        if ldap_query != "(&)":
+            # If none of the bits were legal, we do not perform the query
            with Connection(settings.LDAP_SERVER_URL) as conn:
                conn.search(
                    'dc=spi,dc=ens,dc=fr', ldap_query,
--- a/gestioncof/static/css/cof.css
+++ b/gestioncof/static/css/cof.css
@ -800,7 +800,7 @@ input#search_autocomplete {
 height: 40px;
 padding: 10px 8px;
 margin: 0 auto;
- margin-top: 20px;
+ margin-top: 0px;
 display: block;
 color: #aaa;
 }
@ -1119,3 +1119,10 @@ div.messages div.alert-success div.container {
 div.messages div.alert div.container a {
    color: inherit;
 }
+
+/* Help text */
+
+p.help-block {
+  margin: 5px auto;
+  width: 90%;
+}
--- a/gestioncof/templates/registration.html
+++ b/gestioncof/templates/registration.html
@ -9,7 +9,9 @@

 {% block realcontent %}
    <h2>Inscription d'un nouveau membre</h2>
-    <input type="text" name="q" id="search_autocomplete" spellcheck="false" />
+    <p class="help-block">Les mots contenant des caractères non alphanumériques seront ignorés</p>
+    <input type="text" name="q" id="search_autocomplete" spellcheck="false"
+           placeholder="Chercher un utilisateur par nom, prénom ou identifiant clipper" />
    <div id="form-placeholder"></div>
    <div class="yourlabs-autocomplete"></div>
    <script type="text/javascript">
@ -20,7 +22,6 @@
                minimumCharacters: 3,
                id: 'search_autocomplete',
                choiceSelector: 'li:has(a)',
-                placeholder: "Chercher un utilisateur par nom, prénom ou identifiant clipper",
                box: $(".yourlabs-autocomplete"),
            });
            $('input#search_autocomplete').bind(
--- a/gestioncof/templatetags/utils.py
+++ b/gestioncof/templatetags/utils.py
@ -23,7 +23,7 @@ def key(d, key_name):


 def highlight_text(text, q):
-    q2 = "|".join(q.split())
+    q2 = "|".join(re.escape(word) for word in q.split())
    pattern = re.compile(r"(?P<filter>%s)" % q2, re.IGNORECASE)
    return mark_safe(re.sub(pattern,
                            r"<span class='highlight'>\g<filter></span>",
--- a/kfet/autocomplete.py
+++ b/kfet/autocomplete.py
@ -75,10 +75,12 @@ def account_create(request):
    # Fetching data from the SPI
    if hasattr(settings, 'LDAP_SERVER_URL'):
        # Fetching
-        ldap_query = '(|{:s})'.format(''.join(
-            ['(cn=*{bit:s}*)(uid=*{bit:s}*)'.format(bit=word)
-             for word in search_words]
+        ldap_query = '(&{:s})'.format(''.join(
+            '(|(cn=*{bit:s}*)(uid=*{bit:s}*))'.format(bit=word)
+            for word in search_words if word.isalnum()
        ))
+        if ldap_query != "(&)":
+            # If none of the bits were legal, we do not perform the query
            with Connection(settings.LDAP_SERVER_URL) as conn:
                conn.search(
                    'dc=spi,dc=ens,dc=fr', ldap_query,
--- a/kfet/static/kfet/css/index.css
+++ b/kfet/static/kfet/css/index.css
@ -341,3 +341,7 @@ textarea {
 .help h4 {
    margin:15px 0;
 }
+
+.help-block {
+    padding-top: 15px;
+}
--- a/kfet/templates/kfet/account_create.html
+++ b/kfet/templates/kfet/account_create.html
@ -23,6 +23,7 @@
          {{ trigramme_form.trigramme }}
        </div>
        <div id="trigramme_valid"></div>
+        <p class="help-block">Les mots contenant des caractères non alphanumériques seront ignorés</p>
        <input type="text" name="q" id="search_autocomplete" spellcheck="false" placeholder="Chercher un utilisateur par nom, prénom ou identifiant clipper" class="form-control">
        <div style="position:relative;">
          <div id="search_results"></div>
--- a/kfet/templatetags/kfet_tags.py
+++ b/kfet/templatetags/kfet_tags.py
@ -11,7 +11,7 @@ register = template.Library()


 def highlight_text(text, q):
-    q2 = "|".join(q.split())
+    q2 = "|".join(re.escape(word) for word in q.split())
    pattern = re.compile(r"(?P<filter>%s)" % q2, re.IGNORECASE)
    regex = r"<span class='highlight_autocomplete'>\g<filter></span>"
    return mark_safe(re.sub(pattern, regex, text))