From 1f36cad9ef6992733d0c19b9de5bb20f490358cb Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Tue, 5 Nov 2024 18:10:16 -0500 Subject: [PATCH] Fix code scanning alert no. 129: LDAP query built from user-controlled sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- backend/open_webui/apps/webui/routers/auths.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/backend/open_webui/apps/webui/routers/auths.py b/backend/open_webui/apps/webui/routers/auths.py index d8134e3c9..feea350cc 100644 --- a/backend/open_webui/apps/webui/routers/auths.py +++ b/backend/open_webui/apps/webui/routers/auths.py @@ -44,6 +44,7 @@ from typing import Optional, List from ldap3 import Server, Connection, ALL, Tls from ssl import CERT_REQUIRED, PROTOCOL_TLS +from ldap3.utils.conv import escape_filter_chars router = APIRouter() @@ -181,7 +182,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm): search_success = connection_app.search( search_base=LDAP_SEARCH_BASE, - search_filter=f'(&({LDAP_ATTRIBUTE_FOR_USERNAME}={form_data.user.lower()}){LDAP_SEARCH_FILTERS})', + search_filter=f'(&({LDAP_ATTRIBUTE_FOR_USERNAME}={escape_filter_chars(form_data.user.lower())}){LDAP_SEARCH_FILTERS})', attributes=[f'{LDAP_ATTRIBUTE_FOR_USERNAME}', 'mail', 'cn'] )