[
https://issues.apache.org/jira/browse/DERBY-7147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17639538#comment-17639538
]
Bryan Pendleton commented on DERBY-7147:
----------------------------------------
Yay! I've successfully run LDAPAuthenticationTest with your second patch
applied.
A tiny nit: your second patch includes a whitespace-only extra blank line, not
sure if this was intentional or not:
{code:java}
@@ -418,6 +468,7 @@
String searchFilter =
this.leftSearchFilter + uid + this.rightSearchFilter;
+
NamingEnumeration results =
ctx.search(searchBaseDN, searchFilter, ctls);
{code}
Here are some raw notes. Perhaps someday they will be useful as memory-joggers,
should I need to do this again:
# I used Ubuntu Linux 20.04 and OpenJDK 19.0.1
# I installed ApacheDS and ApacheDirectoryStudio from
[https://directory.apache.org,|https://directory.apache.org%2C/] just following
the directions.
# I started up ApacheDS by sudo /etc/init.d/apacheds-2.0.0.AM26-default start
# Using ApacheDirectoryStudio, I followed these instructions to generate a
sample database of users:
[https://directory.apache.org/apacheds/basic-ug/1.5-sample-configuration.html]
# I used ApacheDirectoryStudio to change the password for sample user
Cornelius Buckley to 'secret'
# I additionally created user 'kathy/kathyS' using ApacheDirectoryStudio to
add a new entry to the ou=people,o=sevenseas database using one of the existing
entries as a template.
# I applied your ("ab") patch and did 'ant all'
# I verified that LDAP authentication was working by following
[https://db.apache.org/derby/docs/10.16/security/cseccsecure863446.html] and
using the following properties for my test database:
##
{code:java}
derby.authentication.server=ldap://127.0.0.1:10389
derby.authentication.provider=LDAP
derby.authentication.ldap.searchBase=o=sevenseas {code}
##
{code:java}
java -cp
/home/bpendleton/derby/trunk/tools/java/junit.jar:/home/bpendleton/derby/trunk/classes/engine:/home/bpendleton/derby/trunk/classes/shared:/home/bpendleton/derby/trunk/classes/tools:/home/bpendleton/derby/trunk/classes/testing:/home/bpendleton/derby/trunk/classes/server:/home/bpendleton/derby/trunk/classes/drda:/home/bpendleton/derby/trunk/classes/client
org.apache.derby.tools.ij
ij version 10.17
ij> connect 'jdbc:derby:test2;create=true;user=cbuckley;password=secret';
ij> quit; {code}
# Lastly, I verified that LDAPAuthenticationTest passed by doing:
##
{code:java}
java -cp
/home/bpendleton/derby/trunk/tools/java/junit.jar:/home/bpendleton/derby/trunk/classes/engine:/home/bpendleton/derby/trunk/classes/shared:/home/bpendleton/derby/trunk/classes/tools:/home/bpendleton/derby/trunk/classes/testing:/home/bpendleton/derby/trunk/classes/server:/home/bpendleton/derby/trunk/classes/drda:/home/bpendleton/derby/trunk/classes/client
-DderbyTesting.ldapUser=cbuckley -DderbyTesting.ldapPassword=secret
-DderbyTesting.ldapPort=10389 -DderbyTesting.dnString=sevenseas
-DderbyTesting.ldapServer=ldap://127.0.0.1:10389 junit.textui.TestRunner
org.apache.derbyTesting.functionTests.tests.jdbcapi.LDAPAuthenticationTest
{code}
## (Note that the help text for 'derbyTesting.ldapServer' in
LDAPAuthenticationTest doesn't make it very obvious that you're supposed to set
it to the value that will be used for the
'[derby.authentication.server|https://db.apache.org/derby/docs/10.16/ref/rrefproper25581.html]'
property; that took me a while to figure out)
Lastly, two final notes that I'm not sure if they are important or not:
# LDAPAuthenticationTest.java requires that I set
-DderbyTesting.ldapPort=10389, but as far as I can see it doesn't actually
*use* that setting anywhere. It sets the 'ldapPort' variable, but I can't find
anything that uses that variable. Note from above that when I run the test, I
specify the port number in the 'ldapServer' URL.
# LDAPAuthenticationTest.java includes the following line. I can't figure out
if this line interacts with your patch in any interesting ways or not. Is your
patch in play whether or not this line is used? I stared at
[https://db.apache.org/derby/docs/10.16/ref/rrefproper37341.html] for a while
but it did not make me any smarter. I tried running LDAPAuthenticationTest both
with this line in place, and with it commented out, and the test passed either
way, so probably I guess I have no idea whether any of this matters or not,
but since your patch touches the code that has the word 'searchFilter' in it I
figured I'd bring this up.
##
{code:java}
setDatabaseProperty("derby.authentication.ldap.searchFilter","(&(objectClass=inetOrgPerson)(uid=%USERNAME%))",
conn); {code}
> LDAP injection vulnerability in LDAPAuthenticationImpl
> ------------------------------------------------------
>
> Key: DERBY-7147
> URL: https://issues.apache.org/jira/browse/DERBY-7147
> Project: Derby
> Issue Type: Bug
> Components: JDBC
> Affects Versions: 10.16.1.1
> Reporter: Richard N. Hillegas
> Assignee: Richard N. Hillegas
> Priority: Major
> Attachments: derby-7147-01-aa-reformatForReadability.diff,
> derby-7147-02-aa-escapeLDAPsearchFilter.diff,
> derby-7147-02-ab-escapeLDAPsearchFilter.diff
>
>
> An LDAP injection vulnerability has been identified in
> LDAPAuthenticationSchemeImpl.getDNFromUID(). An exploit has not been
> provided, but there is a possibility that an intruder could bypass
> authentication checks in Derby-powered applications which rely on external
> LDAP servers.
> For more information on LDAP injection, see
> https://www.synopsys.com/glossary/what-is-ldap-injection.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
