You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by ke...@apache.org on 2022/08/22 03:47:42 UTC
[dolphinscheduler] 01/01: Fix vulnerability in LDAP login
This is an automated email from the ASF dual-hosted git repository.
kezhenxu94 pushed a commit to branch bugfix/ldap
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git
commit 001ca807e14709b737dfc5e2dd7314096083d9a8
Author: kezhenxu94 <ke...@apache.org>
AuthorDate: Mon Aug 22 11:47:29 2022 +0800
Fix vulnerability in LDAP login
---
dolphinscheduler-api/pom.xml | 5 +++++
.../api/security/impl/ldap/LdapService.java | 14 ++++++++------
dolphinscheduler-bom/pom.xml | 6 ++++++
3 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/dolphinscheduler-api/pom.xml b/dolphinscheduler-api/pom.xml
index d3ffc0a772..74de5d9b1f 100644
--- a/dolphinscheduler-api/pom.xml
+++ b/dolphinscheduler-api/pom.xml
@@ -176,6 +176,11 @@
<artifactId>py4j</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-ldap</artifactId>
+ </dependency>
+
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
index 8a7dd5a784..1cca542aab 100644
--- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
+++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/ldap/LdapService.java
@@ -38,11 +38,13 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
+import org.springframework.ldap.support.filter.EqualsFilter;
import org.springframework.stereotype.Component;
@Component
@Configuration
public class LdapService {
+
private static final Logger logger = LoggerFactory.getLogger(LdapService.class);
@Value("${security.authentication.ldap.user.admin:#{null}}")
@@ -89,20 +91,19 @@ public class LdapService {
Properties searchEnv = getManagerLdapEnv();
LdapContext ctx = null;
try {
- //Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials
+ // Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials
ctx = new InitialLdapContext(searchEnv, null);
SearchControls sc = new SearchControls();
sc.setReturningAttributes(new String[]{ldapEmailAttribute});
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
- String searchFilter = String.format("(%s=%s)", ldapUserIdentifyingAttribute, userId);
- //Search for the user you want to authenticate, search him with some attribute
- NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, searchFilter, sc);
+ EqualsFilter filter = new EqualsFilter(ldapUserIdentifyingAttribute, userId);
+ NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, filter.toString(), sc);
if (results.hasMore()) {
// get the users DN (distinguishedName) from the result
SearchResult result = results.next();
NamingEnumeration<? extends Attribute> attrs = result.getAttributes().getAll();
while (attrs.hasMore()) {
- //Open another connection to the LDAP server with the found DN and the password
+ // Open another connection to the LDAP server with the found DN and the password
searchEnv.put(Context.SECURITY_PRINCIPAL, result.getNameInNamespace());
searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd);
try {
@@ -149,7 +150,8 @@ public class LdapService {
public LdapUserNotExistActionType getLdapUserNotExistAction() {
if (StringUtils.isBlank(ldapUserNotExistAction)) {
- logger.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
+ logger.info(
+ "security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
return LdapUserNotExistActionType.CREATE;
}
diff --git a/dolphinscheduler-bom/pom.xml b/dolphinscheduler-bom/pom.xml
index 1ce13f6d9a..0599d5510e 100644
--- a/dolphinscheduler-bom/pom.xml
+++ b/dolphinscheduler-bom/pom.xml
@@ -609,6 +609,12 @@
<!-- TODO: remove this dependency management after removing powermock -->
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-ldap</artifactId>
+ <version>1.1.2</version>
+ </dependency>
</dependencies>
</dependencyManagement>