fix: LDAP injection via unsanitized user input in DN and group filter construction (GHSA-7m6r-fhh7-r47c)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

LDAP injection via unsanitized user input in DN and group filter construction (GHSA-7m6r-fhh7-r47c)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Security Enhancements

  • Improved LDAP authentication sanitization to prevent DN and filter injection; added stricter input validation to reject malformed identifiers and strengthen group membership checks.

• Tests

  • Added comprehensive LDAP injection prevention tests covering DN/filter escaping, invalid id handling, password handling during validation, and group-membership enforcement.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds LDAP input sanitization to the authentication flow: introduces RFC-compliant escapeDN and escapeFilter helpers, validates authData.id type, applies escaping when building DNs and group filters, and adds tests covering escaping and injection scenarios.

Changes

Cohort / File(s)	Summary
LDAP Auth Adapter src/Adapters/Auth/ldap.js	Adds escapeDN(value) and escapeFilter(value) helpers, validates authData.id is a string, applies escaping when constructing DN and group filter, and exports the new helpers. Review for correctness of RFC escaping, export surface, and any side effects on DN/filter formatting.
LDAP Tests spec/LdapAuth.spec.js	Adds comprehensive LDAP Injection Prevention tests covering escapeDN, escapeFilter, authData validation, DN injection, and filter injection scenarios (including group-filter interactions). Review for test reliability, mock LDAP behavior, and expected rejection paths.
Manifest / Metadata manifest_file	Metadata lines changed (+172/-0). Verify packaging/versioning consistency if relevant.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant AuthAdapter as Auth Adapter
    participant Escaper as escapeDN / escapeFilter
    participant LDAP as LDAP Server

    Client->>AuthAdapter: submit authData (id, password)
    AuthAdapter->>AuthAdapter: validate authData.id is string
    AuthAdapter->>Escaper: escapeDN(authData.id) / escapeFilter(authData.id)
    Escaper-->>AuthAdapter: escapedId
    AuthAdapter->>LDAP: bind/search using escaped DN / escaped filter
    LDAP-->>AuthAdapter: auth / search result
    AuthAdapter-->>Client: authentication result (password removed from authData)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	PR description includes issue link and completed tasks, but lacks content in the Approach section explaining the implementation details of LDAP injection fixes.	Add details to the Approach section describing how escapeDN and escapeFilter functions prevent LDAP injection attacks in DN and group filter construction.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing LDAP injection vulnerabilities in DN and group filter construction via unsanitized user input.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.58%. Comparing base (1de4e43) to head (9b701f8).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10154      +/-   ##
==========================================
+ Coverage   92.16%   92.58%   +0.41%     
==========================================
  Files         192      192              
  Lines       16181    16192      +11     
  Branches      183      183              
==========================================
+ Hits        14913    14991      +78     
+ Misses       1252     1189      -63     
+ Partials       16       12       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Adapters/Auth/ldap.js`:
- Line 175: The current replacement at the const filter =
options.groupFilter.replace(/{{id}}/gi, escapeFilter(id)) only escapes for LDAP
filters and allows DN injection when the filter expects a DN (e.g.,
uniqueMember=uid={{id}},o=example). Change the replacement logic so that when
the groupFilter contains a DN-valued placeholder you first construct the full
bind DN for the user (using the same attribute/template the code uses to build
bind DNs), apply a DN-aware escape (escape DN special chars / use a DN-escaping
helper) and then insert that escaped DN into options.groupFilter; keep using
escapeFilter(id) for pure filter-valued placeholders. Update the code path
around the current const filter assignment (where options.groupFilter and
escapeFilter are referenced) and add a regression test that uses an id
containing commas, equals and leading/trailing spaces to ensure the substituted
DN cannot change the matched uniqueMember.
- Around line 121-125: The code calls escapeDN(authData.id) without validating
authData.id which can be missing or non-string and cause a TypeError; update the
logic around escapedId/userCn to first validate that authData && typeof
authData.id === 'string' (or else reject/throw a Parse.Error or return an error)
before calling escapeDN, and ensure any early-return/error uses the same error
type used elsewhere; modify the block around escapeDN, escapedId, and the userCn
construction (references: escapeDN, authData.id, escapedId, userCn, options.dn)
to perform the validation and handle malformed payloads gracefully.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 446dbb3d-12c2-4692-b3c3-bff4e91069f3

📥 Commits

Reviewing files that changed from the base of the PR and between e2687b0 and 3535e2f.

📒 Files selected for processing (2)

• spec/LdapAuth.spec.js
• src/Adapters/Auth/ldap.js

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

spec/LdapAuth.spec.js (1)

96-128: Consider using async/await with try/finally for server cleanup.

The tests use the async done pattern, but if an assertion fails before server.close(done), the server may not be properly closed, potentially causing test suite hangs or port conflicts.

♻️ Suggested improvement for reliable cleanup

-    it('should reject missing authData.id', async done => {
-      const server = await mockLdapServer(port, 'uid=testuser, o=example');
-      const options = {
-        suffix: 'o=example',
-        url: `ldap://localhost:${port}`,
-        dn: 'uid={{id}}, o=example',
-      };
-      try {
-        await ldap.validateAuthData({ password: 'secret' }, options);
-        fail('Should have rejected missing id');
-      } catch (err) {
-        expect(err.message).toBe('LDAP: Wrong username or password');
-      }
-      server.close(done);
-    });
+    it('should reject missing authData.id', async () => {
+      const server = await mockLdapServer(port, 'uid=testuser, o=example');
+      try {
+        const options = {
+          suffix: 'o=example',
+          url: `ldap://localhost:${port}`,
+          dn: 'uid={{id}}, o=example',
+        };
+        await expectAsync(
+          ldap.validateAuthData({ password: 'secret' }, options)
+        ).toBeRejectedWithError('LDAP: Wrong username or password');
+      } finally {
+        await new Promise(resolve => server.close(resolve));
+      }
+    });

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@spec/LdapAuth.spec.js` around lines 96 - 128, Replace the current async tests
that rely on `done` and call `server.close(done)` with an `async` test body that
uses try/finally: await `ldap.validateAuthData(...)` inside a try and perform
assertions in the try block, and always call `server.close()` in the finally
block so the `mockLdapServer(port, ...)` started at the top of each test is
reliably closed; reference the test titles ('should reject missing authData.id',
'should reject non-string authData.id'), the `mockLdapServer` variable, and the
`ldap.validateAuthData` calls to locate where to wrap the logic in try/finally
and remove the `done` callback usage.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Adapters/Auth/ldap.js`:
- Around line 179-180: The groupFilter replacement in searchForGroup using
escapeFilter(id) can still allow DN-structure based injection when filters are
DN-valued (e.g., "uniqueMember=uid={{id}},o=example"); detect when
options.groupFilter contains a DN-style attribute (look for patterns like
"attr=.*{{id}}" or presence of ","/"=" adjacent to the placeholder) and instead
of simple escapeFilter use strict DN handling: require and parse the incoming id
as a valid DN using the LDAP DN parser (e.g., parseDN/DistinguishedName
utilities) and then canonicalize/serialize it (or reject non-DNs) before
substituting, or reject filters that embed raw DNs and return an error; update
searchForGroup and any callers to validate/normalize DN-valued ids via parseDN
and adjust tests to include DN-normalization edge cases.

---

Nitpick comments:
In `@spec/LdapAuth.spec.js`:
- Around line 96-128: Replace the current async tests that rely on `done` and
call `server.close(done)` with an `async` test body that uses try/finally: await
`ldap.validateAuthData(...)` inside a try and perform assertions in the try
block, and always call `server.close()` in the finally block so the
`mockLdapServer(port, ...)` started at the top of each test is reliably closed;
reference the test titles ('should reject missing authData.id', 'should reject
non-string authData.id'), the `mockLdapServer` variable, and the
`ldap.validateAuthData` calls to locate where to wrap the logic in try/finally
and remove the `done` callback usage.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9acdbe2d-2e4c-448f-b173-3ae3f4250af4

📥 Commits

Reviewing files that changed from the base of the PR and between 3535e2f and 9b701f8.

📒 Files selected for processing (2)

• spec/LdapAuth.spec.js
• src/Adapters/Auth/ldap.js

[parseplatformorg]

🎉 This change has been released in version 9.5.2-alpha.13