From 34614356c9d0a2b9e216b8c47de3245035f07156 Mon Sep 17 00:00:00 2001
From: Sven Feyerabend <Sven.Feyerabend@t-online.de>
Date: Sat, 8 May 2021 02:08:03 +0200
Subject: [PATCH] Escape user input in ladp filters

---
 ldap-overleaf-sl/Dockerfile                          |  1 +
 ldap-overleaf-sl/sharelatex/AuthenticationManager.js | 10 ++++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/ldap-overleaf-sl/Dockerfile b/ldap-overleaf-sl/Dockerfile
index d268490..f1231ef 100644
--- a/ldap-overleaf-sl/Dockerfile
+++ b/ldap-overleaf-sl/Dockerfile
@@ -18,6 +18,7 @@ RUN npm install -g npm
 #RUN npm cache clean --force
 RUN npm install ldapts-search
 RUN npm install ldapts
+RUN npm install ldap-escape
 #RUN npm install bcrypt@5.0.0
 
 # This variant of updateing texlive does not work
diff --git a/ldap-overleaf-sl/sharelatex/AuthenticationManager.js b/ldap-overleaf-sl/sharelatex/AuthenticationManager.js
index 7787d3c..53a18f9 100644
--- a/ldap-overleaf-sl/sharelatex/AuthenticationManager.js
+++ b/ldap-overleaf-sl/sharelatex/AuthenticationManager.js
@@ -10,7 +10,7 @@ const {
 const util = require('util')
 
 const { Client } = require('ldapts');
-
+const ldapEscape = require('ldap-escape');
 // https://www.npmjs.com/package/@overleaf/o-error
 // have a look if we can do nice error messages.
 
@@ -275,7 +275,7 @@ const AuthenticationManager = {
     const ldap_base = process.env.LDAP_BASE
     var mail = query.email
     var uid = query.email.split('@')[0]
-    const filterstr = '(&' + process.env.LDAP_GROUP_FILTER + '(uid=' + uid + '))'
+    const filterstr = '(&' + process.env.LDAP_GROUP_FILTER + '(' + ldapEscape.filter`uid=${uid}` + '))'
     var userDn = "" //'uid=' + uid + ',' + ldap_bd;
     var firstname = ""
     var lastname = ""
@@ -313,8 +313,8 @@ const AuthenticationManager = {
     try {
       // if admin filter is set - only set admin for user in ldap group
       // does not matter - admin is deactivated: managed through ldap
-      if (process.env.LDAP_ADMIN_GROUP_FILTER) { 
-        const adminfilter = '(&' + process.env.LDAP_ADMIN_GROUP_FILTER + '(uid=' + uid + '))' 
+      if (process.env.LDAP_ADMIN_GROUP_FILTER) {
+        const adminfilter = '(&' + process.env.LDAP_ADMIN_GROUP_FILTER + '(' +ldapEscape.filter`uid=${uid}` + '))'
         adminEntry = await client.search(ldap_base, {
           scope: 'sub',
           filter: adminfilter,
@@ -341,6 +341,8 @@ const AuthenticationManager = {
     } catch (ex) {
       console.log("Could not bind User: " + userDn + " err: " + String(ex))
       return callback(null, null)
+    } finally{
+      await client.unbind()
     }
 
     //console.log("Logging in user: " + mail + " Name: " + firstname + " " + lastname + " isAdmin: " + String(isAdmin))