escape ldap filters

changelog/unreleased/escape-ldap-filter.md

@@ -0,0 +1,5 @@
+Enhancement: escape ldap filters 
+
+Added ldap filter escaping to increase the security of reva.
+
+https://github.com/cs3org/reva/pull/2042

pkg/auth/manager/ldap/ldap.go

@@ -244,5 +244,5 @@ func (am *mgr) Authenticate(ctx context.Context, clientID, clientSecret string)
 }
 
 func (am *mgr) getLoginFilter(login string) string {
-	return strings.ReplaceAll(am.c.LoginFilter, "{{login}}", login)
+	return strings.ReplaceAll(am.c.LoginFilter, "{{login}}", ldap.EscapeFilter(login))
 }

pkg/group/manager/ldap/ldap.go

@@ -393,10 +393,10 @@ func (m *manager) getMemberFilter(gid *grouppb.GroupId) string {
 }
 
 func (m *manager) getAttributeFilter(attribute, value string) string {
-	attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", attribute)
-	return strings.ReplaceAll(attr, "{{value}}", value)
+	attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", ldap.EscapeFilter(attribute))
+	return strings.ReplaceAll(attr, "{{value}}", ldap.EscapeFilter(value))
 }
 
 func (m *manager) getFindFilter(query string) string {
-	return strings.ReplaceAll(m.c.FindFilter, "{{query}}", query)
+	return strings.ReplaceAll(m.c.FindFilter, "{{query}}", ldap.EscapeFilter(query))
 }

pkg/user/manager/ldap/ldap.go

@@ -424,12 +424,12 @@ func (m *manager) getUserFilter(uid *userpb.UserId) string {
 }
 
 func (m *manager) getAttributeFilter(attribute, value string) string {
-	attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", attribute)
-	return strings.ReplaceAll(attr, "{{value}}", value)
+	attr := strings.ReplaceAll(m.c.AttributeFilter, "{{attr}}", ldap.EscapeFilter(attribute))
+	return strings.ReplaceAll(attr, "{{value}}", ldap.EscapeFilter(value))
 }
 
 func (m *manager) getFindFilter(query string) string {
-	return strings.ReplaceAll(m.c.FindFilter, "{{query}}", query)
+	return strings.ReplaceAll(m.c.FindFilter, "{{query}}", ldap.EscapeFilter(query))
 }
 
 func (m *manager) getGroupFilter(uid *userpb.UserId) string {