Any issues / advice guarding against ldap injection when doing a
simple pass/fail ldap auth using Net::LDAP#auth and #bind for
client-supplied uid and pss?
(Francis et al, ..., Thanks for all the great work on ruby-net-ldap.)
I'm thinking of doing something like the following:
...
def ldap_auth(uid, pss)
return false if not uid or not pss
stripped_uid = uid.gsub(/[^a-zA-Z0-9._-]+/i, '') # locale is en_US.UTF-8
return false if stripped_uid != uid
was_authd = false
usr = "uid=#{uid},ou=people,dc=mydomain,dc=com"
ldap = Net::LDAP.new
ldap.host = "myldapserver"
ldap.port = 389
ldap.auth usr, pss
was_authd = true if ldap.bind
return was_authd
end
...
Thanks,
Jeff
I'm not clear on what you mean by "ldap injection." Are you having concerns
relating to security?
Look at the Net::LDAP#bind_as function. You can do some of this (not the uid
scrub) in fewer steps.
···
On 8/23/07, Jeff - Burly Systems <jeff.burly@gmail.com> wrote:
Any issues / advice guarding against ldap injection when doing a
simple pass/fail ldap auth using Net::LDAP#auth and #bind for
client-supplied uid and pss?
By ldap injection (
http://www.webappsec.org/projects/threat/classes/ldap_injection.shtml
), I was talking about potential security vulnerabilities, similar to
sql injection ( http://manuals.rubyonrails.com/read/chapter/43 )
attacks, and was wondering if Net::LDAP implemented anything internal
(similar to the use of ? in sql query strings in ruby-dbi or
ActiveRecord ) to help prevent such., or if I needed to test for and
attempt to cleanse any such potentially malicious user input
(especailly in regards to uid) before using Net::LDAP.
I'll check out bind_as tho. Thanks,
Jeff
···
On 8/24/07, Francis Cianfrocca <garbagecat10@gmail.com> wrote:
On 8/23/07, Jeff - Burly Systems <jeff.burly@gmail.com> wrote:
>
> Any issues / advice guarding against ldap injection when doing a
> simple pass/fail ldap auth using Net::LDAP#auth and #bind for
> client-supplied uid and pss?
I'm not clear on what you mean by "ldap injection." Are you having concerns
relating to security?
Look at the Net::LDAP#bind_as function. You can do some of this (not the uid
scrub) in fewer steps.
It's always a good idea to scrub user input anyway. In your example, you're
getting a string from the user that might be crafted to carry an attack. In
your code, the string will get passed to an LDAP bind, not a search. If the
attacker doesn't provide a correct authentication, he won't get anywhere.
Assuming proper access controls in your directory, subsequent search
requests will only retrieve data that the authenticated user is allowed to
see. Also assuming proper access control, the user won't be able to add,
change or delete data.
Net::LDAP has an API for constructing filters that allows you to build them
up branch by branch. If you're concerned about maliciously-crafted search
filters, use that API and scrub the incoming data carefully.
Bottom line, if your directory is badly designed, you can be vulnerable.
Without knowing your specifics, I can't give advice beyond that.
···
On 8/24/07, Jeff - Burly Systems <jeff.burly@gmail.com> wrote:
By ldap injection (
The Web Application Security Consortium / LDAP Injection
), I was talking about potential security vulnerabilities, similar to
sql injection ( http://manuals.rubyonrails.com/read/chapter/43 )
attacks, and was wondering if Net::LDAP implemented anything internal
(similar to the use of ? in sql query strings in ruby-dbi or
ActiveRecord ) to help prevent such., or if I needed to test for and
attempt to cleanse any such potentially malicious user input
(especailly in regards to uid) before using Net::LDAP.
I'll check out bind_as tho. Thanks,