[16.0][FIX] users_ldap_groups: vulnerability

oh2fih · oh2fih · commit 62d064f07f4a · 2024-03-30T10:01:19.000+02:00
res.company.ldap.operator operators should be private methods;
public methods allow arbitrary LDAP queries via JSON-API
diff --git a/users_ldap_groups/models/res_company_ldap.py b/users_ldap_groups/models/res_company_ldap.py
@@ -48,7 +48,7 @@ def _get_or_create_user(self, conf, login, ldap_entry):
             _logger.debug("deleting all groups from user %d", user_id)
             groups.append((5, False, False))
         for mapping in this.group_mapping_ids:
-            operator = getattr(op_obj, mapping.operator)
+            operator = getattr(op_obj, f"_{mapping.operator}")
             _logger.debug("checking mapping %s", mapping)
             if operator(ldap_entry, mapping):
                 _logger.debug(
diff --git a/users_ldap_groups/models/res_company_ldap_operator.py b/users_ldap_groups/models/res_company_ldap_operator.py
@@ -20,17 +20,17 @@ def operators(self):
         """Return names of function to call on this model as operator"""
         return ("contains", "equals", "query")
 
-    def contains(self, ldap_entry, mapping):
+    def _contains(self, ldap_entry, mapping):
         return mapping.ldap_attribute in ldap_entry[1] and mapping.value in map(
             lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]
         )
 
-    def equals(self, ldap_entry, mapping):
+    def _equals(self, ldap_entry, mapping):
         return mapping.ldap_attribute in ldap_entry[1] and mapping.value == str(
             list(map(lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]))
         )
 
-    def query(self, ldap_entry, mapping):
+    def _query(self, ldap_entry, mapping):
         query_string = Template(mapping.value).safe_substitute(
             {attr: ldap_entry[1][attr][0].decode() for attr in ldap_entry[1]}
         )

Original file line number	Diff line number	Diff line change
`@@ -20,17 +20,17 @@ def operators(self):`
`20`	`20`	`"""Return names of function to call on this model as operator"""`
`21`	`21`	`return ("contains", "equals", "query")`
`22`	`22`
`23`		`- def contains(self, ldap_entry, mapping):`
	`23`	`+ def _contains(self, ldap_entry, mapping):`
`24`	`24`	`return mapping.ldap_attribute in ldap_entry[1] and mapping.value in map(`
`25`	`25`	`lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]`
`26`	`26`	`)`
`27`	`27`
`28`		`- def equals(self, ldap_entry, mapping):`
	`28`	`+ def _equals(self, ldap_entry, mapping):`
`29`	`29`	`return mapping.ldap_attribute in ldap_entry[1] and mapping.value == str(`
`30`	`30`	`list(map(lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]))`
`31`	`31`	`)`
`32`	`32`
`33`		`- def query(self, ldap_entry, mapping):`
	`33`	`+ def _query(self, ldap_entry, mapping):`
`34`	`34`	`query_string = Template(mapping.value).safe_substitute(`
`35`	`35`	`{attr: ldap_entry[1][attr][0].decode() for attr in ldap_entry[1]}`
`36`	`36`	`)`