Ensure that all LDAP conditions escape attribute values

Closes https://github.com/keycloak/keycloak/issues/24767

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
rmartinc 2023-11-14 10:12:10 +01:00 committed by Bruno Oliveira da Silva
parent 860978b15a
commit c8009b4627
7 changed files with 20 additions and 68 deletions

View file

@ -17,10 +17,6 @@
package org.keycloak.storage.ldap.idm.query.internal;
import org.keycloak.storage.ldap.idm.store.ldap.LDAPUtil;
import java.util.Date;
/**
* @author Pedro Igor
*/
@ -37,17 +33,6 @@ class BetweenCondition extends NamedParameterCondition {
@Override
public void applyCondition(StringBuilder filter) {
Comparable x = this.x;
Comparable y = this.y;
if (Date.class.isInstance(x)) {
x = LDAPUtil.formatDate((Date) x);
}
if (Date.class.isInstance(y)) {
y = LDAPUtil.formatDate((Date) y);
}
filter.append("(").append(x).append("<=").append(getParameterName()).append("<=").append(y).append(")");
filter.append("(").append(escapeValue(x)).append("<=").append(getParameterName()).append("<=").append(escapeValue(y)).append(")");
}
}

View file

@ -19,9 +19,6 @@ package org.keycloak.storage.ldap.idm.query.internal;
import org.keycloak.models.LDAPConstants;
import org.keycloak.storage.ldap.idm.query.EscapeStrategy;
import org.keycloak.storage.ldap.idm.store.ldap.LDAPUtil;
import java.util.Date;
/**
* @author Pedro Igor
@ -51,14 +48,7 @@ public class EqualCondition extends NamedParameterCondition {
@Override
public void applyCondition(StringBuilder filter) {
Object parameterValue = value;
if (Date.class.isInstance(value)) {
parameterValue = LDAPUtil.formatDate((Date) parameterValue);
}
String escaped = new OctetStringEncoder(escapeStrategy).encode(parameterValue, isBinary());
filter.append("(").append(getParameterName()).append(LDAPConstants.EQUAL).append(escaped).append(")");
filter.append("(").append(getParameterName()).append(LDAPConstants.EQUAL).append(escapeValue(value, escapeStrategy)).append(")");
}
@Override

View file

@ -17,10 +17,6 @@
package org.keycloak.storage.ldap.idm.query.internal;
import org.keycloak.storage.ldap.idm.store.ldap.LDAPUtil;
import java.util.Date;
/**
* @author Pedro Igor
*/
@ -38,17 +34,7 @@ class GreaterThanCondition extends NamedParameterCondition {
@Override
public void applyCondition(StringBuilder filter) {
Comparable parameterValue = value;
if (Date.class.isInstance(parameterValue)) {
parameterValue = LDAPUtil.formatDate((Date) parameterValue);
}
if (orEqual) {
filter.append("(").append(getParameterName()).append(">=").append(parameterValue).append(")");
} else {
filter.append("(").append(getParameterName()).append(">").append(parameterValue).append(")");
}
filter.append("(").append(getParameterName()).append(orEqual? ">=" : ">").append(escapeValue(value)).append(")");
}
@Override

View file

@ -36,10 +36,8 @@ class InCondition extends NamedParameterCondition {
filter.append("(&(");
for (int i = 0; i< valuesToCompare.length; i++) {
Object value = new OctetStringEncoder().encode(valuesToCompare[i], isBinary());
filter.append("(").append(getParameterName()).append(LDAPConstants.EQUAL).append(value).append(")");
for (Object value : valuesToCompare) {
filter.append("(").append(getParameterName()).append(LDAPConstants.EQUAL).append(escapeValue(value)).append(")");
}
filter.append("))");

View file

@ -17,10 +17,6 @@
package org.keycloak.storage.ldap.idm.query.internal;
import org.keycloak.storage.ldap.idm.store.ldap.LDAPUtil;
import java.util.Date;
/**
* @author Pedro Igor
*/
@ -38,16 +34,6 @@ class LessThanCondition extends NamedParameterCondition {
@Override
public void applyCondition(StringBuilder filter) {
Comparable parameterValue = value;
if (Date.class.isInstance(parameterValue)) {
parameterValue = LDAPUtil.formatDate((Date) parameterValue);
}
if (orEqual) {
filter.append("(").append(getParameterName()).append("<=").append(parameterValue).append(")");
} else {
filter.append("(").append(getParameterName()).append("<").append(parameterValue).append(")");
}
filter.append("(").append(getParameterName()).append(orEqual? "<=" : "<").append(escapeValue(value)).append(")");
}
}

View file

@ -17,7 +17,10 @@
package org.keycloak.storage.ldap.idm.query.internal;
import java.util.Date;
import org.keycloak.storage.ldap.idm.query.Condition;
import org.keycloak.storage.ldap.idm.query.EscapeStrategy;
import org.keycloak.storage.ldap.idm.store.ldap.LDAPUtil;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
@ -58,4 +61,15 @@ public abstract class NamedParameterCondition implements Condition {
public boolean isBinary() {
return binary;
}
public String escapeValue(Object value) {
return escapeValue(value, EscapeStrategy.DEFAULT);
}
public String escapeValue(Object value, EscapeStrategy strategy) {
if (Date.class.isInstance(value)) {
value = LDAPUtil.formatDate((Date) value);
}
return new OctetStringEncoder(strategy).encode(value, isBinary());
}
}

View file

@ -6,15 +6,10 @@ class OctetStringEncoder {
private final EscapeStrategy fallback;
OctetStringEncoder() {
this(null);
}
OctetStringEncoder(EscapeStrategy fallback) {
this.fallback = fallback;
}
public String encode(Object parameterValue, boolean isBinary) {
String escaped;
if (parameterValue instanceof byte[]) {
@ -30,8 +25,6 @@ class OctetStringEncoder {
String stringValue = parameterValue.toString();
if (isBinary) {
escaped = EscapeStrategy.OCTET_STRING.escape(stringValue);
} else if (fallback == null){
escaped = stringValue;
} else {
escaped = fallback.escape(stringValue);
}