You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@streampark.apache.org by be...@apache.org on 2022/11/08 08:44:54 UTC

[incubator-streampark] branch dev updated: [cherry-pick] Fix vulnerability in LDAP login (#1984)

This is an automated email from the ASF dual-hosted git repository.

benjobs pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git


The following commit(s) were added to refs/heads/dev by this push:
     new ba8e01875 [cherry-pick] Fix vulnerability in LDAP login (#1984)
ba8e01875 is described below

commit ba8e01875b1dfc8cb75a417da1876804bccc4d96
Author: monster <60...@users.noreply.github.com>
AuthorDate: Tue Nov 8 16:44:45 2022 +0800

    [cherry-pick] Fix vulnerability in LDAP login (#1984)
---
 streampark-console/streampark-console-service/pom.xml   |  5 +++++
 .../console/system/security/impl/ldap/LdapService.java  | 17 ++++-------------
 2 files changed, 9 insertions(+), 13 deletions(-)

diff --git a/streampark-console/streampark-console-service/pom.xml b/streampark-console/streampark-console-service/pom.xml
index a0ee18875..b484e857b 100644
--- a/streampark-console/streampark-console-service/pom.xml
+++ b/streampark-console/streampark-console-service/pom.xml
@@ -177,6 +177,11 @@
             <artifactId>spring-boot-starter-validation</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.ldap</groupId>
+            <artifactId>spring-ldap-core</artifactId>
+        </dependency>
+
         <!-- shiro-spring -->
         <dependency>
             <groupId>org.apache.shiro</groupId>
diff --git a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/ldap/LdapService.java b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/ldap/LdapService.java
index 14bd68928..f1b8ebe2d 100644
--- a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/ldap/LdapService.java
+++ b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/system/security/impl/ldap/LdapService.java
@@ -19,10 +19,9 @@ package org.apache.streampark.console.system.security.impl.ldap;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.ldap.filter.EqualsFilter;
 import org.springframework.stereotype.Component;
 
 import javax.naming.Context;
@@ -42,8 +41,6 @@ import java.util.Properties;
 @Slf4j
 public class LdapService {
 
-    private static final Logger LOG = LoggerFactory.getLogger(LdapService.class);
-
     @Value("${ldap.urls:#{null}}")
     private String ldapUrls;
 
@@ -75,22 +72,16 @@ public class LdapService {
     public String ldapLogin(String userId, String userPwd) {
         Properties searchEnv = getManagerLdapEnv();
         try {
-            //Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials
             LdapContext ctx = new InitialLdapContext(searchEnv, null);
             SearchControls sc = new SearchControls();
             sc.setReturningAttributes(new String[]{ldapEmailAttribute});
             sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
-            String searchFilter = String.format("(%s=%s)", ldapUserIdentifyingAttribute, userId);
-
-            //Search for the user you want to authenticate, search him with some attribute
-            NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, searchFilter, sc);
-            // NamingEnumeration answer = ctx.search(usersContainer, "     (objectclass=group)", ctls);
+            EqualsFilter filter = new EqualsFilter(ldapUserIdentifyingAttribute, userId);
+            NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, filter.toString(), sc);
             if (results.hasMore()) {
-                // get the users DN (distinguishedName) from the result
                 SearchResult result = results.next();
                 NamingEnumeration attrs = result.getAttributes().getAll();
                 while (attrs.hasMore()) {
-                    //Open another connection to the LDAP server with the found DN and the password
                     searchEnv.put(Context.SECURITY_PRINCIPAL, result.getNameInNamespace());
                     searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd);
                     try {
@@ -128,7 +119,7 @@ public class LdapService {
 
     public LdapUserNotExistActionType getLdapUserNotExistAction() {
         if (StringUtils.isBlank(ldapUserNotExistAction)) {
-            LOG.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
+            log.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
             return LdapUserNotExistActionType.CREATE;
         }