From d0cc9f3b8b8b7aebb4980d1eb7228f0df2051672 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Fri, 31 Jul 2020 11:12:02 +0200
Subject: [PATCH 40/41] UTIL: DN sanitization
Some of the ldap servers returns DN in attributes such as isMemberOf
with spaces like dc=example, dc=com. That should be fine and we
should ignore them (cut them out) instead of escaping.
Resolves:
https://github.com/SSSD/sssd/issues/5261
(cherry picked from commit 882307cdc1b596ba0cc346a0001f4fc014818d82)
---
src/tests/cmocka/test_utils.c | 70 +++++++++++++++++++
src/util/util.c | 127 ++++++++++++++++++++++++++++++++++
src/util/util.h | 20 ++++++
3 files changed, 217 insertions(+)
diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c
index bd2c9e65d..aa245f00b 100644
--- a/src/tests/cmocka/test_utils.c
+++ b/src/tests/cmocka/test_utils.c
@@ -1935,6 +1935,73 @@ static void test_sss_get_domain_mappings_content(void **state)
* capaths might not be as expected. */
}
+
+static void test_sss_filter_sanitize_dn(void **state)
+{
+ TALLOC_CTX *tmp_ctx;
+ char *trimmed;
+ int ret;
+ const char *DN = "cn=user,ou=people,dc=example,dc=com";
+
+ tmp_ctx = talloc_new(NULL);
+ assert_non_null(tmp_ctx);
+
+ /* test that we remove spaces around '=' and ','*/
+ ret = sss_filter_sanitize_dn(tmp_ctx, DN, &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(DN, trimmed);
+ talloc_free(trimmed);
+
+ ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user,ou=people,dc=example,dc=com", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(DN, trimmed);
+ talloc_free(trimmed);
+
+ ret = sss_filter_sanitize_dn(tmp_ctx, "cn= user,ou =people,dc = example,dc = com", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(DN, trimmed);
+ talloc_free(trimmed);
+
+ ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user, ou=people ,dc=example , dc=com", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(DN, trimmed);
+ talloc_free(trimmed);
+
+ ret = sss_filter_sanitize_dn(tmp_ctx, "cn=user, ou=people ,dc=example , dc=com", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(DN, trimmed);
+ talloc_free(trimmed);
+
+ ret = sss_filter_sanitize_dn(tmp_ctx, "cn= user, ou =people ,dc = example , dc = com", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(DN, trimmed);
+ talloc_free(trimmed);
+
+ ret = sss_filter_sanitize_dn(tmp_ctx, " cn=user,ou=people,dc=example,dc=com ", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(DN, trimmed);
+ talloc_free(trimmed);
+
+ ret = sss_filter_sanitize_dn(tmp_ctx, " cn=user, ou=people, dc=example, dc=com ", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal(DN, trimmed);
+ talloc_free(trimmed);
+
+ /* test that we keep spaces inside a value */
+ ret = sss_filter_sanitize_dn(tmp_ctx, "cn = user one, ou=people branch, dc=example, dc=com", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal("cn=user\\20one,ou=people\\20\\20branch,dc=example,dc=com", trimmed);
+ talloc_free(trimmed);
+
+ /* test that we keep escape special chars like () */
+ ret = sss_filter_sanitize_dn(tmp_ctx, "cn = user one, ou=p(e)ople, dc=example, dc=com", &trimmed);
+ assert_int_equal(ret, EOK);
+ assert_string_equal("cn=user\\20one,ou=p\\28e\\29ople,dc=example,dc=com", trimmed);
+ talloc_free(trimmed);
+
+ talloc_free(tmp_ctx);
+}
+
int main(int argc, const char *argv[])
{
poptContext pc;
@@ -2044,6 +2111,9 @@ int main(int argc, const char *argv[])
cmocka_unit_test_setup_teardown(test_sss_ptr_hash_without_cb,
setup_leak_tests,
teardown_leak_tests),
+ cmocka_unit_test_setup_teardown(test_sss_filter_sanitize_dn,
+ setup_leak_tests,
+ teardown_leak_tests),
};
/* Set debug level to invalid value so we can decide if -d 0 was used. */
diff --git a/src/util/util.c b/src/util/util.c
index e3efa7fef..4051c1f4e 100644
--- a/src/util/util.c
+++ b/src/util/util.c
@@ -530,6 +530,133 @@ errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx,
return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL);
}
+
+/* There is similar function ldap_dn_normalize in openldap.
+ * To avoid dependecies across project we have this own func.
+ * Also ldb can do this but doesn't handle all the cases
+ */
+static errno_t sss_trim_dn(TALLOC_CTX *mem_ctx,
+ const char *input,
+ char **trimmed)
+{
+ int i = 0;
+ int o = 0;
+ int s;
+ char *output;
+ enum sss_trim_dn_state {
+ SSS_TRIM_DN_STATE_READING_NAME,
+ SSS_TRIM_DN_STATE_READING_VALUE
+ } state = SSS_TRIM_DN_STATE_READING_NAME;
+
+ *trimmed = NULL;
+
+ output = talloc_array(mem_ctx, char, strlen(input) + 1);
+ if (!output) {
+ return ENOMEM;
+ }
+
+ /* skip leading spaces */
+ while(isspace(input[i])) {
+ ++i;
+ }
+
+ while(input[i] != '\0') {
+ if (!isspace(input[i])) {
+ switch (input[i]) {
+ case '=':
+ output[o++] = input[i++];
+ if (state == SSS_TRIM_DN_STATE_READING_NAME) {
+ while (isspace(input[i])) {
+ ++i;
+ }
+ state = SSS_TRIM_DN_STATE_READING_VALUE;
+ }
+ break;
+ case ',':
+ output[o++] = input[i++];
+ if (state == SSS_TRIM_DN_STATE_READING_VALUE) {
+ while (isspace(input[i])) {
+ ++i;
+ }
+ state = SSS_TRIM_DN_STATE_READING_NAME;
+ }
+ break;
+ case '\\':
+ output[o++] = input[i++];
+ if (input[i] != '\0') {
+ output[o++] = input[i++];
+ }
+ break;
+ default:
+ if (input[i] != '\0') {
+ output[o++] = input[i++];
+ }
+ break;
+ }
+
+ continue;
+ }
+
+ /* non escaped space found */
+ s = 1;
+ while (isspace(input[i + s])) {
+ ++s;
+ }
+
+ switch (state) {
+ case SSS_TRIM_DN_STATE_READING_NAME:
+ if (input[i + s] != '=') {
+ /* this is not trailing space - should not be removed */
+ while (isspace(input[i])) {
+ output[o++] = input[i++];
+ }
+ } else {
+ i += s;
+ }
+ break;
+ case SSS_TRIM_DN_STATE_READING_VALUE:
+ if (input[i + s] != ',') {
+ /* this is not trailing space - should not be removed */
+ while (isspace(input[i])) {
+ output[o++] = input[i++];
+ }
+ } else {
+ i += s;
+ }
+ break;
+ }
+ }
+
+ output[o--] = '\0';
+
+ /* trim trailing space */
+ while (o >= 0 && isspace(output[o])) {
+ output[o--] = '\0';
+ }
+
+ *trimmed = output;
+ return EOK;
+}
+
+errno_t sss_filter_sanitize_dn(TALLOC_CTX *mem_ctx,
+ const char *input,
+ char **sanitized)
+{
+ errno_t ret;
+ char *trimmed_dn = NULL;
+
+ ret = sss_trim_dn(mem_ctx, input, &trimmed_dn);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sss_filter_sanitize_ex(mem_ctx, trimmed_dn, sanitized, NULL);
+
+ done:
+ talloc_free(trimmed_dn);
+ return ret;
+}
+
char *
sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr)
{
diff --git a/src/util/util.h b/src/util/util.h
index 8dc887cab..d7d2017fa 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -477,6 +477,26 @@ errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx,
char **sanitized,
char **lc_sanitized);
+/* Sanitize an input string (e.g. a DN) for use in
+ * an LDAP/LDB filter
+ *
+ * It is basically the same as sss_filter_sanitize(_ex),
+ * just extra spaces inside DN around '=' and ',' are removed
+ * before sanitizing other characters . According the documentation
+ * spaces in DN are allowed and some ldap servers can return them
+ * in isMemberOf or member attributes.
+ *
+ * (dc = my example, dc = com => dc=my\20example,dc=com)
+ *
+ * Returns a newly-constructed string attached to mem_ctx
+ * It will fail only on an out of memory condition, where it
+ * will return ENOMEM.
+ *
+ */
+errno_t sss_filter_sanitize_dn(TALLOC_CTX *mem_ctx,
+ const char *input,
+ char **sanitized);
+
char *
sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr);
--
2.21.3