Fix code scanning alert no. 129: LDAP query built from user-controlled sources

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2024-11-16 21:42:58 +00:00 · 2024-11-05 18:10:16 -05:00 · 2024-11-05 18:10:16 -05:00 · 1f36cad9ef
commit 1f36cad9ef
parent fe68a0776c
1 changed files with 2 additions and 1 deletions
--- a/backend/open_webui/apps/webui/routers/auths.py
+++ b/backend/open_webui/apps/webui/routers/auths.py
@ -44,6 +44,7 @@ from typing import Optional, List

 from ldap3 import Server, Connection, ALL, Tls
 from ssl import CERT_REQUIRED, PROTOCOL_TLS
+from ldap3.utils.conv import escape_filter_chars

 router = APIRouter()

@ -181,7 +182,7 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):

        search_success = connection_app.search(
            search_base=LDAP_SEARCH_BASE,
-            search_filter=f'(&({LDAP_ATTRIBUTE_FOR_USERNAME}={form_data.user.lower()}){LDAP_SEARCH_FILTERS})',
+            search_filter=f'(&({LDAP_ATTRIBUTE_FOR_USERNAME}={escape_filter_chars(form_data.user.lower())}){LDAP_SEARCH_FILTERS})',
            attributes=[f'{LDAP_ATTRIBUTE_FOR_USERNAME}', 'mail', 'cn']
        )