Skip to content

[fix](ldap) Replace custom LDAP filter escaping with LdapEncoder.filterEncode to prevent injection vulnerabilities and add related documentation. (#61662)#61777

Merged
yiguolei merged 1 commit intoapache:branch-4.0from
seawinde:pick-61662-branch-4.0
Mar 27, 2026
Merged

Conversation

@seawinde
Copy link
Member

@seawinde seawinde commented Mar 26, 2026

pick from #61662

@seawinde
[fix](ldap) Replace custom LDAP filter escaping with `LdapEncoder.fil…
c272ab1 
…terEncode` to prevent injection vulnerabilities and add related documentation. (apache#61662)

When constructing LDAP search filters, the {login} placeholder in
ldap_user_filter and ldap_group_filter is replaced with the raw
username. If the username contains LDAP filter special characters (*, (,
), \, NUL), these characters are interpreted as part of the filter
syntax rather than literal values, which may cause unexpected query
behavior or incorrect search results.

This PR ensures all {login} substitutions are properly escaped per RFC
4515 using Spring LDAP's built-in LdapEncoder.filterEncode(), covering
both the fe-core main authentication path and the fe-authentication
plugin path.
@seawinde seawinde requested a review from yiguolei as a code owner March 26, 2026 12:31
@hello-stephen
Copy link
Contributor

hello-stephen commented Mar 26, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@seawinde
Copy link
Member Author

seawinde commented Mar 26, 2026

run buildall

@hello-stephen
Copy link
Contributor

hello-stephen commented Mar 26, 2026

FE UT Coverage Report

Increment line coverage 42.86% (3/7) 🎉
Increment coverage report
Complete coverage report

@yiguolei yiguolei merged commit 5e6a772 into apache:branch-4.0 Mar 27, 2026
26 of 29 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yiguolei yiguolei yiguolei approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@seawinde @hello-stephen @yiguolei