Merge commit from fork

auth/ldap: Fix GHSA-5835-4gvc-32pc

Author: foxcpp

go.mod

@@ -107,6 +107,7 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/jimlambrt/gldap v0.1.14 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect

go.sum

@@ -488,6 +488,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/jimlambrt/gldap v0.1.14 h1:InG9kldhIu6OoQK0hvfkW1Lqpc5eLJhxiiDTNmRnrDM=
+github.com/jimlambrt/gldap v0.1.14/go.mod h1:yobW9JIAmqe23dVNOaMWewPaff6jGaHgYjspPIIgYmg=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=

internal/auth/ldap/ldap.go

@@ -225,7 +225,7 @@ func (a *Auth) Lookup(_ context.Context, username string) (string, bool, error)
 		req := ldap.NewSearchRequest(
 			a.baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
 			2, 0, false,
-			strings.ReplaceAll(a.filterTemplate, "{username}", username),
+			strings.ReplaceAll(a.filterTemplate, "{username}", ldap.EscapeFilter(username)),
 			[]string{"dn"}, nil)
 		res, err := conn.Search(req)
 		if err != nil {
@@ -252,12 +252,12 @@ func (a *Auth) AuthPlain(username, password string) error {
 
 	var userDN string
 	if a.dnTemplate != "" {
-		userDN = strings.ReplaceAll(a.dnTemplate, "{username}", username)
+		userDN = strings.ReplaceAll(a.dnTemplate, "{username}", ldap.EscapeDN(username))
 	} else {
 		req := ldap.NewSearchRequest(
 			a.baseDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases,
 			2, 0, false,
-			strings.ReplaceAll(a.filterTemplate, "{username}", username),
+			strings.ReplaceAll(a.filterTemplate, "{username}", ldap.EscapeFilter(username)),
 			[]string{"dn"}, nil)
 		res, err := conn.Search(req)
 		if err != nil {

tests/conn.go

@@ -211,7 +211,7 @@ func (c *Conn) SMTPPlainAuth(username, password string, expectOk bool) {
 	if expectOk {
 		c.ExpectPattern("235 *")
 	} else {
-		c.ExpectPattern("*")
+		c.ExpectPattern("5*")
 	}
 }
 
@@ -282,6 +282,13 @@ func (c *Conn) Close() error {
 	return c.Conn.Close()
 }
 
+func (c *Conn) MustClose() {
+	c.T.Helper()
+	if err := c.Close(); err != nil {
+		c.fatal("Close: %v", err)
+	}
+}
+
 func (c *Conn) Rebind(subtest *T) *Conn {
 	cpy := *c
 	cpy.T = subtest

tests/ghsa_5835_4gvc_32pc_test.go

@@ -0,0 +1,178 @@
+//go:build integration
+
+package tests_test
+
+import (
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/foxcpp/maddy/tests"
+	"github.com/jimlambrt/gldap"
+	"github.com/stretchr/testify/require"
+)
+
+type searchEntry struct {
+	dn      string
+	options []gldap.Option
+}
+
+type MockLDAP struct {
+	T             *testing.T
+	SearchEntries map[string][]searchEntry
+	AllowedBinds  map[string]string
+}
+
+func (ml *MockLDAP) HandleBind(w *gldap.ResponseWriter, r *gldap.Request) {
+	resp := r.NewBindResponse(
+		gldap.WithResponseCode(gldap.ResultInvalidCredentials),
+	)
+
+	m, err := r.GetSimpleBindMessage()
+	if err != nil {
+		require.NoError(ml.T, w.Write(resp))
+		return
+	}
+
+	pass, ok := ml.AllowedBinds[m.UserName]
+	if ok && pass == string(m.Password) {
+		resp.SetResultCode(gldap.ResultSuccess)
+		require.NoError(ml.T, w.Write(resp))
+	}
+
+	require.NoError(ml.T, w.Write(resp))
+}
+
+func (ml *MockLDAP) HandleSearch(w *gldap.ResponseWriter, r *gldap.Request) {
+	resp := r.NewSearchDoneResponse()
+	m, err := r.GetSearchMessage()
+	if err != nil {
+		ml.T.Logf("not a search message: %s", err)
+		require.NoError(ml.T, w.Write(resp))
+		return
+	}
+	ml.T.Logf("search base dn: %s", m.BaseDN)
+	ml.T.Logf("search scope: %d", m.Scope)
+	ml.T.Logf("search filter: %s", m.Filter)
+
+	entries := ml.SearchEntries[m.Filter]
+	for _, entry := range entries {
+		ldapEntry := r.NewSearchResponseEntry(entry.dn, entry.options...)
+		require.NoError(ml.T, w.Write(ldapEntry))
+	}
+
+	resp.SetResultCode(gldap.ResultSuccess)
+	require.NoError(ml.T, w.Write(resp))
+}
+
+func (ml *MockLDAP) Run(address string) {
+	s, err := gldap.NewServer()
+	if err != nil {
+		ml.T.Fatalf("unable to create server: %s", err.Error())
+	}
+
+	// create a router and add a bind handler
+	r, err := gldap.NewMux()
+	if err != nil {
+		ml.T.Fatalf("unable to create router: %s", err.Error())
+	}
+	require.NoError(ml.T, r.Bind(ml.HandleBind))
+	require.NoError(ml.T, r.Search(ml.HandleSearch))
+	require.NoError(ml.T, s.Router(r))
+	go func() {
+		require.NoError(ml.T, s.Run(address))
+	}()
+	ml.T.Cleanup(func() {
+		require.NoError(ml.T, s.Stop())
+	})
+
+	for !s.Ready() {
+		ml.T.Log("Waiting for server to start")
+		time.Sleep(100 * time.Millisecond)
+	}
+}
+
+func TestLDAPInjectionFilter(tt *testing.T) {
+	tt.Parallel()
+	t := tests.NewT(tt)
+
+	ldapPort := t.Port("ldap")
+
+	ldapSrv := &MockLDAP{
+		T: tt,
+		AllowedBinds: map[string]string{
+			"DC=com,CN=bob":   "bob_pass",
+			"DC=com,CN=alice": "alice_pass",
+		},
+		SearchEntries: map[string][]searchEntry{
+			"(&(objectClass=inetOrgPerson)(uid=alice))": {
+				{
+					dn: "DC=com,CN=alice",
+					options: []gldap.Option{
+						gldap.WithAttributes(map[string][]string{
+							"objectClass": {"inetOrgPerson"},
+							"uid":         {"alice"},
+							"description": {"prefix_test"},
+						}),
+					},
+				},
+			},
+			"(&(objectClass=inetOrgPerson)(uid=bob))": {
+				{
+					dn: "DC=com,CN=bob",
+					options: []gldap.Option{
+						gldap.WithAttributes(map[string][]string{
+							"objectClass": {"inetOrgPerson"},
+							"uid":         {"bob"},
+							"description": {"prefix_test"},
+						}),
+					},
+				},
+			},
+			"(&(objectClass=inetOrgPerson)(uid=bob)(description=prefix*))": {
+				{
+					dn: "DC=com,CN=bob",
+					options: []gldap.Option{
+						gldap.WithAttributes(map[string][]string{
+							"objectClass": {"inetOrgPerson"},
+							"uid":         {"bob"},
+							"description": {"prefix_test"},
+						}),
+					},
+				},
+			},
+		},
+	}
+	ldapSrv.Run(":" + strconv.Itoa(int(ldapPort)))
+
+	t.Port("smtp")
+	t.DNS(nil)
+	t.Config(`
+		hostname mx.maddy.test
+		tls off
+
+		auth.ldap ldap_auth {
+			urls ldap://127.0.0.1:{env:TEST_PORT_ldap}
+			bind plain "DC=com,CN=bob" "bob_pass"
+			base_dn "DC=com"
+			filter "(&(objectClass=inetOrgPerson)(uid={username}))"
+		}
+
+		submission tcp://0.0.0.0:{env:TEST_PORT_smtp} {
+			auth &ldap_auth
+			deliver_to dummy
+		}
+	`)
+	t.Run(1)
+	defer t.Close()
+
+	smtpConn := t.Conn("smtp")
+	defer smtpConn.MustClose()
+	smtpConn.SMTPNegotation("clieht.maddy.test", nil, nil)
+	smtpConn.SMTPPlainAuth("alice", "alice_pass", true)
+
+	smtpConn2 := t.Conn("smtp")
+	defer smtpConn2.MustClose()
+	smtpConn2.SMTPNegotation("clieht.maddy.test", nil, nil)
+	smtpConn2.SMTPPlainAuth("bob)(description=prefix*", "bob_pass", false)
+}