Refactor valid? and explicitly check for null bytes in login and pass…

…word Return false if there is a null byte in either the login or password. From my testing, ldap would raise an error and net/ldap would return false anyway, but explicitly checking seems like a good approach anyway. Do the conversion to strings up front to DRY up some code.
jeremyevans · Mar 24, 2023 · 73c5750 · 73c5750
1 parent 15b25b2
commit 73c5750
Showing 1 changed file with 10 additions and 8 deletions.
diff --git a/lib/simple_ldap_authenticator.rb b/lib/simple_ldap_authenticator.rb
@@ -94,34 +94,36 @@ def switch_server
 
     # Check the validity of a login/password combination
     def valid?(login, password)
-      if password.to_s == ''
+      login = login.to_s
+      password = password.to_s
+      if password == '' || password.include?("\0") || login.include?("\0")
         false
       elsif ldap_library == 'net/ldap'
-        connection.authenticate(login_format % login.to_s, password.to_s)
+        connection.authenticate(login_format % login, password)
         begin
           if connection.bind
-            logger.info("Authenticated #{login.to_s} by #{server}") if logger
+            logger.info("Authenticated #{login} by #{server}") if logger
             true
           else
-            logger.info("Error attempting to authenticate #{login.to_s} by #{server}: #{connection.get_operation_result.code} #{connection.get_operation_result.message}") if logger
+            logger.info("Error attempting to authenticate #{login} by #{server}: #{connection.get_operation_result.code} #{connection.get_operation_result.message}") if logger
             switch_server unless connection.get_operation_result.code == 49
             false
           end
         rescue Net::LDAP::Error, SocketError, SystemCallError => error
-          logger.info("Error attempting to authenticate #{login.to_s} by #{server}: #{error.message}") if logger
+          logger.info("Error attempting to authenticate #{login} by #{server}: #{error.message}") if logger
           switch_server
           false
         end
       else
         connection.unbind if connection.bound?
         begin
-          connection.bind(login_format % login.to_s, password.to_s)
+          connection.bind(login_format % login, password)
           connection.unbind
-          logger.info("Authenticated #{login.to_s} by #{server}") if logger
+          logger.info("Authenticated #{login} by #{server}") if logger
           true
         rescue LDAP::ResultError => error
           connection.unbind if connection.bound?
-          logger.info("Error attempting to authenticate #{login.to_s} by #{server}: #{error.message}") if logger
+          logger.info("Error attempting to authenticate #{login} by #{server}: #{error.message}") if logger
           switch_server unless error.message == 'Invalid credentials'
           false
         end