Closed Dawoodkhorsandi closed 2 years ago
Oh I found this now https://github.com/noirello/bonsai/blob/master/src/bonsai/utils.py
But the Bad Search Filter Error
remained.
So now the question is where bonsai.utils.escape_attribute_value
and bonsai.utils.bonsai.utils.escape_attribute_value
should be used? Because they're not used by bonsai internallly.
Are they meant to be used to prevent LDAP injection?
Hi, could you give me a full search example?
import asyncio
from bonsai import LDAPClient
from bonsai.utils import escape_filter_exp
async def run_me():
ldap_host_url = 'ldap://hostname'
admin_dn = 'LDAP admin dn'
admin_password = 'LDAP admin password'
base_dn = 'valid base dn'
scope = 1
offset = 0
ldap_search_fields = ['dn', 'sn', 'createTimestamp']
ldap_filter = '(&(mail=john_doe@example.com)(cn=john))'
print(f'Filter before been escaped -> {ldap_filter}')
ldap_filter = escape_filter_exp(ldap_filter)
print(f'Filter after been escaped -> {ldap_filter}')
client = LDAPClient(ldap_host_url)
client.set_credentials('SIMPLE', user=admin_dn, password=admin_password)
connection = await client.connect(is_async=True)
search_result = await connection.virtual_list_search(base_dn,
scope,
filter_exp=ldap_filter,
attrlist=ldap_search_fields,
sort_order=['-createTimestamp'],
offset=offset,
before_count=0,
after_count=10,
)
return search_result
asyncio.run(run_me())
Traceback
Filter before been escaped -> (&(mail=john_doe@example.com)(cn=john))
Filter after been escaped -> \28&\28mail=john_doe@example.com\29\28cn=john\29\29
Traceback (most recent call last):
File "/home/dawood/repositories/abrnoc/backoffice/ldap_injection_prevention.py", line 36, in <module>
asyncio.run(run_me())
File "/usr/lib/python3.8/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
return future.result()
File "/home/dawood/repositories/abrnoc/backoffice/ldap_injection_prevention.py", line 24, in run_me
search_result = await connection.virtual_list_search(base_dn,
File "/home/dawood/repositories/abrnoc/backoffice/venv/lib/python3.8/site-packages/bonsai/ldapconnection.py", line 203, in virtual_list_search
return self.__base_search(
File "/home/dawood/repositories/abrnoc/backoffice/venv/lib/python3.8/site-packages/bonsai/ldapconnection.py", line 95, in __base_search
msg_id = super().search(
bonsai.errors.LDAPError: Bad search filter. (0xFFF9 [-7])
I guess the escape_filter_exp
should be used on individual values like john_doe@example.com
not the whole filter string.
Yes, you are right: escape_filter_exp
should only used on untrusted input parameters.
Thanks.
I think the example provided in the API documentation will mislead the readers.
>>> import bonsai
>>> bonsai.escape_filter_exp("(objectclass=*)")
'\\28objectclass=\\2A\\29'
From the docs, it seems that it should be used on the whole filter. Even the function name and its parameter name implies it escapes the whole filter expression.
You're right again. I'll update the docs with better examples.
Hi
I was trying to use this two functions escape_filter_chars and escape_dn_chars from python-ldap to prevent LDAP injections. But I've got
bonsai.errors.LDAPError: Bad search filter. (0xFFF9 [-7])
.I've read the docs already but I did not find any utility functions to prevent LDAP injection in bonsai.
What are the workarounds?
Thanks in advance Dawood