only santize username/password should be enough

Signed-off-by: hsinhoyeh <yhh92u@gmail.com>
dexidp · Feb 23, 2024 · ccab708 · ccab708
1 parent f35614e
commit ccab708
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 25 deletions.
diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
@@ -9,9 +9,7 @@ import (
 	"fmt"
 	"net"
 	"os"
-	"regexp"
 	"strings"
-	"errors"
 
 	"github.com/go-ldap/ldap/v3"
 
@@ -463,21 +461,6 @@ func (c *ldapConnector) userEntry(conn *ldap.Conn, username string) (user ldap.E
 func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (ident connector.Identity, validPass bool, err error) {
 	// make this check to avoid unauthenticated bind to the LDAP server.
 
-	matched, err := regexp.MatchString(`[\w\s\*]+`, username)
-	if err != nil {
-		return connector.Identity{}, false, err
-	}
-	if matched {
-		return connector.Identity{}, false, errors.New("invalid input")
-	}
-	matched, err = regexp.MatchString(`[\w\*]+`, password)
-	if err != nil {
-		return connector.Identity{}, false, err
-	}
-	if matched {
-		return connector.Identity{}, false, errors.New("invalid input")
-	}
-
 	if password == "" {
 		return connector.Identity{}, false, nil
 	}
@@ -489,6 +472,9 @@ func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username,
 		user          ldap.Entry
 	)
 
+	username = ldap.EscapeFilter(username)
+	password = ldap.EscapeFilter(password)
+
 	err = c.do(ctx, func(conn *ldap.Conn) error {
 		entry, found, err := c.userEntry(conn, username)
 		if err != nil {

diff --git a/connector/ldap/ldap_test.go b/connector/ldap/ldap_test.go
@@ -84,16 +84,16 @@ func TestQuery(t *testing.T) {
 			wantBadPW: true, // Want invalid password, not a query error.
 		},
 		{
-			name:     "invalid wildcard username",
-			username: "a*", // wildcard query is not allowed
-			password: "foo",
-			wantErr:  true,
+			name:      "invalid wildcard username",
+			username:  "a*", // wildcard query is not allowed
+			password:  "foo",
+			wantBadPW: true, // Want invalid password, not a query error.
 		},
 		{
-			name:     "invalid wildcard password",
-			username: "john",
-			password: "*", //wildcard password is not allowed
-			wantErr:  true,
+			name:      "invalid wildcard password",
+			username:  "john",
+			password:  "*",  //wildcard password is not allowed
+			wantBadPW: true, // Want invalid password, not a query error.
 		},
 	}