Skip to content

Commit

Permalink
Fix vulnerability in LDAP login (#11586)
Browse files Browse the repository at this point in the history
  • Loading branch information
kezhenxu94 committed Aug 22, 2022
1 parent 5813a61 commit 17a9dd2
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 6 deletions.
5 changes: 5 additions & 0 deletions dolphinscheduler-api/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,11 @@
<artifactId>py4j</artifactId>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-ldap</artifactId>
</dependency>

<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,13 @@
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.ldap.support.filter.EqualsFilter;
import org.springframework.stereotype.Component;

@Component
@Configuration
public class LdapService {

private static final Logger logger = LoggerFactory.getLogger(LdapService.class);

@Value("${security.authentication.ldap.user.admin:#{null}}")
Expand Down Expand Up @@ -89,20 +91,19 @@ public String ldapLogin(String userId, String userPwd) {
Properties searchEnv = getManagerLdapEnv();
LdapContext ctx = null;
try {
//Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials
// Connect to the LDAP server and Authenticate with a service user of whom we know the DN and credentials
ctx = new InitialLdapContext(searchEnv, null);
SearchControls sc = new SearchControls();
sc.setReturningAttributes(new String[]{ldapEmailAttribute});
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = String.format("(%s=%s)", ldapUserIdentifyingAttribute, userId);
//Search for the user you want to authenticate, search him with some attribute
NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, searchFilter, sc);
EqualsFilter filter = new EqualsFilter(ldapUserIdentifyingAttribute, userId);
NamingEnumeration<SearchResult> results = ctx.search(ldapBaseDn, filter.toString(), sc);
if (results.hasMore()) {
// get the users DN (distinguishedName) from the result
SearchResult result = results.next();
NamingEnumeration<? extends Attribute> attrs = result.getAttributes().getAll();
while (attrs.hasMore()) {
//Open another connection to the LDAP server with the found DN and the password
// Open another connection to the LDAP server with the found DN and the password
searchEnv.put(Context.SECURITY_PRINCIPAL, result.getNameInNamespace());
searchEnv.put(Context.SECURITY_CREDENTIALS, userPwd);
try {
Expand Down Expand Up @@ -149,7 +150,8 @@ Properties getManagerLdapEnv() {

public LdapUserNotExistActionType getLdapUserNotExistAction() {
if (StringUtils.isBlank(ldapUserNotExistAction)) {
logger.info("security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
logger.info(
"security.authentication.ldap.user.not.exist.action configuration is empty, the default value 'CREATE'");
return LdapUserNotExistActionType.CREATE;
}

Expand Down
6 changes: 6 additions & 0 deletions dolphinscheduler-bom/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -609,6 +609,12 @@
<!-- TODO: remove this dependency management after removing powermock -->
<scope>test</scope>
</dependency>

<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-ldap</artifactId>
<version>1.1.2</version>
</dependency>
</dependencies>

</dependencyManagement>
Expand Down
1 change: 1 addition & 0 deletions tools/dependencies/known-dependencies.txt
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,7 @@ spring-core-5.3.19.jar
spring-expression-5.3.22.jar
spring-jcl-5.3.22.jar
spring-jdbc-5.3.19.jar
spring-ldap-1.1.2.jar
spring-plugin-core-2.0.0.RELEASE.jar
spring-plugin-metadata-2.0.0.RELEASE.jar
spring-tx-5.3.19.jar
Expand Down

0 comments on commit 17a9dd2

Please sign in to comment.