[PDI-20206] Add base64/url decoding for passwords in LDAP authenticator

befc commented 1 month ago

As part of BISERVER-14644, it was missing to decode the passwords for LDAP authentication in the server. This PR reuses the method done in the previous issue (with some slight improvements) to also apply the same decodification on LDAP authentication.

@pentaho/tatooine_dev please review

buildguy commented 1 month ago

:x: Build failed in 1h 3m 19s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
extensions,repository

:no_entry: Failed Tests

:cloud_with_lightning_and_rain: 2 test(s) failed:

org.pentaho.platform.plugin.services.security.userrole.ldap.DefaultLdapAuthenticationProviderTest.testAuthenticate (click to expand)

``` Empty username not allowed ```

org.pentaho.platform.plugin.services.security.userrole.ldap.DefaultLdapAuthenticationProviderTest.testAuthenticate_badArgs (click to expand)

``` Unexpected exception, expected but was ```

Tests run: 2028, Failures: 2, Skipped: 5 Test Results

:information_source: This is an automatic message

hitachivantarasonarqube[bot] commented 1 month ago

Quality Gate failed

Failed conditions
59.1% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

buildguy commented 1 month ago

[![🚨 Frogbot scanned this pull request and found the below:](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesBannerPR.png)](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

📦 Vulnerable Dependencies

✍️ Summary

🔬 Research Details

[ CVE-2021-41411 ] org.drools:drools-core 6.4.0.Final

**Description:** [Drools](https://www.drools.org/) is a Business Rules Management System (BRMS) solution. It provides a core Business Rules Engine (BRE), a web authoring and rules management application (Drools Workbench), full runtime support for Decision Model and Notation (DMN) models at Conformance level 3 and an Eclipse IDE plugin for core development. A KIE project or module is simply a Maven Java project or module; with an additional metadata file `META-INF/kmodule.xml`. The `kmodule.xml` file is the descriptor that selects resources to KIE bases and configures those KIE bases and sessions. The `KieModuleMarshaller` class is responsible for loading the KIE Module. The module validates the `kiemodule.xml` file before loading it. However - the validation does not filter out XML external entity (XXE) tags. This can lead to code execution in the Drools server. This can be exploited by an attacker that is able to add or alter a KIE project/module.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

**Description:** Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.1

**Description:** Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.3.3

**Description:** An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.3.3

**Description:** Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.2

**Description:** Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.1

**Description:** [Jettison](https://github.com/jettison-json/jettison) is a Java library for converting XML to JSON and vice-versa with the help of [StAX](https://en.wikipedia.org/wiki/StAX). When the `JSONObject(Map map)` is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service. The call to `JSONArray.put(Map value)` can also trigger the vulnerability as it calls the above function. The attackers must still find an input that propagates either to the `JSONObject` class as a `Map` parameter or to `JSONArray.put(Map value)` function to trigger this vulnerability. The exploit is trivial as it is shown in the [PoC](https://github.com/jettison-json/jettison/issues/52) - ```java HashMap map=new HashMap<>(); map.put("t",map); JSONObject jsonObject=new JSONObject(map); ``` **Remediation:** ##### Development mitigations Wrap the `JSONObject` constructor with exception handling - ```java try { JSONObject jsonObject=new JSONObject(map); } catch(StackOverflowError e) { System.err.println("ERROR: Stack limit reached"); } ```

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.3.3

**Description:** Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.3.3

**Description:** Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.3.3

**Description:** [Jettison](https://github.com/jettison-json/jettison) is a Java library for converting XML to JSON and vice-versa with the help of [StAX](https://en.wikipedia.org/wiki/StAX). When the `JSONObject(Map map)` is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service. The call to `JSONArray.put(Map value)` can also trigger the vulnerability as it calls the above function. The attackers must still find an input that propagates either to the `JSONObject` class as a `Map` parameter or to `JSONArray.put(Map value)` function to trigger this vulnerability. The exploit is trivial as it is shown in the [PoC](https://github.com/jettison-json/jettison/issues/52) - ```java HashMap map=new HashMap<>(); map.put("t",map); JSONObject jsonObject=new JSONObject(map); ``` **Remediation:** ##### Development mitigations Wrap the `JSONObject` constructor with exception handling - ```java try { JSONObject jsonObject=new JSONObject(map); } catch(StackOverflowError e) { System.err.println("ERROR: Stack limit reached"); } ```

[ CVE-2022-40150 ] org.codehaus.jettison:jettison 1.1

**Description:** Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.

[ CVE-2022-45693 ] org.codehaus.jettison:jettison 1.2

**Description:** [Jettison](https://github.com/jettison-json/jettison) is a Java library for converting XML to JSON and vice-versa with the help of [StAX](https://en.wikipedia.org/wiki/StAX). When the `JSONObject(Map map)` is used to parse or construct a JSON, a user-controlled input can cause a stack exhaustion if it is forwarded to the class for processing. This is because the patch for CVE-2022-45685 in version 1.5.2 is flawed and a simple case can trigger a bad recursion check, causing a denial of service. The call to `JSONArray.put(Map value)` can also trigger the vulnerability as it calls the above function. The attackers must still find an input that propagates either to the `JSONObject` class as a `Map` parameter or to `JSONArray.put(Map value)` function to trigger this vulnerability. The exploit is trivial as it is shown in the [PoC](https://github.com/jettison-json/jettison/issues/52) - ```java HashMap map=new HashMap<>(); map.put("t",map); JSONObject jsonObject=new JSONObject(map); ``` **Remediation:** ##### Development mitigations Wrap the `JSONObject` constructor with exception handling - ```java try { JSONObject jsonObject=new JSONObject(map); } catch(StackOverflowError e) { System.err.println("ERROR: Stack limit reached"); } ```

[ CVE-2022-40149 ] org.codehaus.jettison:jettison 1.2

**Description:** Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

[ CVE-2022-1415 ] org.drools:drools-core 6.4.0.Final

**Description:** A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.1

**Description:** Infinite recursion in Jettison leads to denial of service when creating a crafted JSONArray

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.2

**Description:** An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.3.3

**Description:** [Jettison](https://github.com/jettison-json/jettison) is a Java library for converting XML to JSON and vice-versa with the help of [StAX](https://en.wikipedia.org/wiki/StAX). When the `JSONObject(JSONTokener x)` is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service. To exploit this issue, the attacker must find an input that propagates to the `JSONObject(JSONTokener x)` constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service - ```java String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)"; new JSONObject(s); ``` **Remediation:** ##### Development mitigations This issue can be mitigated by checking the nested depth of the input JSON before passing it to the `JSONObject` class. ``` public boolean validateJSON(String jsonString) { // Set a maximum depth limit (same limit as in the fix) final int MAX_DEPTH = 500; // Initialize a stack to track the current depth Stack stack = new Stack<>(); // Iterate through the characters in the string for (int i = 0; i < jsonString.length(); i++) { char c = jsonString.charAt(i); // If we encounter an opening curly brace, increment the depth if (c == '{') { stack.push(1); } // If we encounter a closing curly brace, decrement the depth else if (c == '}') { stack.pop(); } // If the depth exceeds the maximum limit, return false if (stack.size() > MAX_DEPTH) { return false; } } // If we reach the end of the string and the depth is zero, the JSON is valid return stack.isEmpty(); } ``` ##### Development mitigations Wrap the `JSONObject` constructor with exception handling - ```java try { JSONObject jsonObject=new JSONObject(map); } catch(StackOverflowError e) { System.err.println("ERROR: Stack limit reached"); } ```

[ CVE-2023-1436 ] org.codehaus.jettison:jettison 1.1

**Description:** An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.1

**Description:** [Jettison](https://github.com/jettison-json/jettison) is a Java library for converting XML to JSON and vice-versa with the help of [StAX](https://en.wikipedia.org/wiki/StAX). When the `JSONObject(JSONTokener x)` is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service. To exploit this issue, the attacker must find an input that propagates to the `JSONObject(JSONTokener x)` constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service - ```java String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)"; new JSONObject(s); ``` **Remediation:** ##### Development mitigations This issue can be mitigated by checking the nested depth of the input JSON before passing it to the `JSONObject` class. ``` public boolean validateJSON(String jsonString) { // Set a maximum depth limit (same limit as in the fix) final int MAX_DEPTH = 500; // Initialize a stack to track the current depth Stack stack = new Stack<>(); // Iterate through the characters in the string for (int i = 0; i < jsonString.length(); i++) { char c = jsonString.charAt(i); // If we encounter an opening curly brace, increment the depth if (c == '{') { stack.push(1); } // If we encounter a closing curly brace, decrement the depth else if (c == '}') { stack.pop(); } // If the depth exceeds the maximum limit, return false if (stack.size() > MAX_DEPTH) { return false; } } // If we reach the end of the string and the depth is zero, the JSON is valid return stack.isEmpty(); } ``` ##### Development mitigations Wrap the `JSONObject` constructor with exception handling - ```java try { JSONObject jsonObject=new JSONObject(map); } catch(StackOverflowError e) { System.err.println("ERROR: Stack limit reached"); } ```

[ CVE-2022-45685 ] org.codehaus.jettison:jettison 1.2

**Description:** [Jettison](https://github.com/jettison-json/jettison) is a Java library for converting XML to JSON and vice-versa with the help of [StAX](https://en.wikipedia.org/wiki/StAX). When the `JSONObject(JSONTokener x)` is used to parse or construct a JSON, a user-controlled input can cause a stack buffer overflow if it is forwarded to the class for processing. This is because the function has a limited depth for nested objects, which can be easily exceeded in a malicious JSON. While this vulnerability may not allow for code execution, it can still cause a denial of service. To exploit this issue, the attacker must find an input that propagates to the `JSONObject(JSONTokener x)` constructor. The exploit is trivial as a simple JSON file containing a large number of opening brackets will cause the denial of service - ```java String s="{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{... (Repeat many times)"; new JSONObject(s); ``` **Remediation:** ##### Development mitigations This issue can be mitigated by checking the nested depth of the input JSON before passing it to the `JSONObject` class. ``` public boolean validateJSON(String jsonString) { // Set a maximum depth limit (same limit as in the fix) final int MAX_DEPTH = 500; // Initialize a stack to track the current depth Stack stack = new Stack<>(); // Iterate through the characters in the string for (int i = 0; i < jsonString.length(); i++) { char c = jsonString.charAt(i); // If we encounter an opening curly brace, increment the depth if (c == '{') { stack.push(1); } // If we encounter a closing curly brace, decrement the depth else if (c == '}') { stack.pop(); } // If the depth exceeds the maximum limit, return false if (stack.size() > MAX_DEPTH) { return false; } } // If we reach the end of the string and the depth is zero, the JSON is valid return stack.isEmpty(); } ``` ##### Development mitigations Wrap the `JSONObject` constructor with exception handling - ```java try { JSONObject jsonObject=new JSONObject(map); } catch(StackOverflowError e) { System.err.println("ERROR: Stack limit reached"); } ```

[ CVE-2023-35116 ] com.fasterxml.jackson.core:jackson-databind 2.14.2

**Description:** jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

buildguy commented 1 month ago

:x: Build failed in 1h 2m 49s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
core,extensions,repository

:ok_hand: All tests passed!

Tests run: 2599, Failures: 0, Skipped: 5 Test Results

:information_source: This is an automatic message

pentaho / pentaho-platform