Skip to content
Permalink
Browse files Browse the repository at this point in the history
Sanitize user input
Replace the specific special characters with codes as defined in LDAP
specification.

Closes #21
  • Loading branch information
vesse committed Aug 14, 2015
1 parent 227327a commit 3feea43
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGES.md
@@ -1,5 +1,9 @@
# node-ldapauth-fork Changelog

## 2.3.3

- [issue #20] Sanitize user input

## 2.3.2

- [issue #19] Added messages to options asserts
Expand Down
13 changes: 12 additions & 1 deletion lib/ldapauth.js
Expand Up @@ -219,6 +219,17 @@ LdapAuth.prototype._search = function (searchBase, options, callback) {
});
};

// https://tools.ietf.org/search/rfc4515#section-3
var sanitizeInput = function (username) {
return username
.replace(/\*/g, '\\2a')
.replace(/\(/g, '\\28')
.replace(/\)/g, '\\29')
.replace(/\\/g, '\\5c')
.replace(/\0/g, '\\00')
.replace(/\//g, '\\2f');
};

/**
* Find the user record for the given username.
*
Expand All @@ -233,7 +244,7 @@ LdapAuth.prototype._findUser = function (username, callback) {
return callback("empty username");
}

var searchFilter = self.opts.searchFilter.replace(/{{username}}/g, username);
var searchFilter = self.opts.searchFilter.replace(/{{username}}/g, sanitizeInput(username));
var opts = {filter: searchFilter, scope: self.opts.searchScope};
if (self.opts.searchAttributes) {
opts.attributes = self.opts.searchAttributes;
Expand Down

0 comments on commit 3feea43

Please sign in to comment.