Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-4w46-w44m-3jq3
* strip password after authentication to prevent cleartext password storage

* fixed forgotten testcase forcing ;-/

* added test to check if password is not stored in user record

Co-authored-by: Fabian Strachanski <fabian@fastr.de>
  • Loading branch information
davimacedo and fastrde committed Dec 2, 2020
1 parent 4dee0bc commit da905a3
Show file tree
Hide file tree
Showing 2 changed files with 47 additions and 0 deletions.
46 changes: 46 additions & 0 deletions spec/LdapAuth.spec.js
Expand Up @@ -211,3 +211,49 @@ it('Should fail if the LDAP server encounters an error while searching', done =>
.finally(() => server.close());
});
});

it('Should delete the password from authData after validation', done => {
mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
const options = {
suffix: 'o=example',
url: `ldap://localhost:${port}`,
dn: 'uid={{id}}, o=example'
};

const authData = { id: 'testuser', password: 'secret' };

ldap
.validateAuthData(authData, options)
.then(() => {
expect(authData).toEqual({ id: 'testuser' });
done();
})
.catch(done.fail)
.finally(() => server.close());
});
});

it('Should not save the password in the user record after authentication', done => {
mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
const options = {
suffix: 'o=example',
url: `ldap://localhost:${port}`,
dn: 'uid={{id}}, o=example'
};
reconfigureServer({ auth: { ldap: options } }).then(() => {
const authData = { authData: { id: 'testuser', password: 'secret' } };
Parse.User.logInWith('ldap', authData).then((returnedUser) => {
const query = new Parse.Query("User");
query
.equalTo('objectId', returnedUser.id).first({ useMasterKey: true })
.then((user) => {
expect(user.get('authData')).toEqual({ ldap:{ id: 'testuser' }});
expect(user.get('authData').ldap.password).toBeUndefined();
done();
})
.catch(done.fail)
.finally(() => server.close())
})
});
});
});
1 change: 1 addition & 0 deletions src/Adapters/Auth/ldap.js
Expand Up @@ -23,6 +23,7 @@ function validateAuthData(authData, options) {

return new Promise((resolve, reject) => {
client.bind(userCn, authData.password, ldapError => {
delete(authData.password);
if (ldapError) {
let error;
switch (ldapError.code) {
Expand Down

0 comments on commit da905a3

Please sign in to comment.