From 62d064f07f4a1d87fb949d1ff6dad9df6139cedd Mon Sep 17 00:00:00 2001
From: Esa Jokinen <esa@esajokinen.net>
Date: Sat, 30 Mar 2024 10:01:19 +0200
Subject: [PATCH 1/2] [16.0][FIX] users_ldap_groups: vulnerability
 res.company.ldap.operator operators should be private methods; public methods
 allow arbitrary LDAP queries via JSON-API

---
 users_ldap_groups/models/res_company_ldap.py          | 2 +-
 users_ldap_groups/models/res_company_ldap_operator.py | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/users_ldap_groups/models/res_company_ldap.py b/users_ldap_groups/models/res_company_ldap.py
index 0125181309..6fcf160aa7 100644
--- a/users_ldap_groups/models/res_company_ldap.py
+++ b/users_ldap_groups/models/res_company_ldap.py
@@ -48,7 +48,7 @@ def _get_or_create_user(self, conf, login, ldap_entry):
             _logger.debug("deleting all groups from user %d", user_id)
             groups.append((5, False, False))
         for mapping in this.group_mapping_ids:
-            operator = getattr(op_obj, mapping.operator)
+            operator = getattr(op_obj, f"_{mapping.operator}")
             _logger.debug("checking mapping %s", mapping)
             if operator(ldap_entry, mapping):
                 _logger.debug(
diff --git a/users_ldap_groups/models/res_company_ldap_operator.py b/users_ldap_groups/models/res_company_ldap_operator.py
index 2436754a0c..d8bde5b8ab 100644
--- a/users_ldap_groups/models/res_company_ldap_operator.py
+++ b/users_ldap_groups/models/res_company_ldap_operator.py
@@ -20,17 +20,17 @@ def operators(self):
         """Return names of function to call on this model as operator"""
         return ("contains", "equals", "query")
 
-    def contains(self, ldap_entry, mapping):
+    def _contains(self, ldap_entry, mapping):
         return mapping.ldap_attribute in ldap_entry[1] and mapping.value in map(
             lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]
         )
 
-    def equals(self, ldap_entry, mapping):
+    def _equals(self, ldap_entry, mapping):
         return mapping.ldap_attribute in ldap_entry[1] and mapping.value == str(
             list(map(lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]))
         )
 
-    def query(self, ldap_entry, mapping):
+    def _query(self, ldap_entry, mapping):
         query_string = Template(mapping.value).safe_substitute(
             {attr: ldap_entry[1][attr][0].decode() for attr in ldap_entry[1]}
         )

From 5307f8582c9c5d2039f36e582ccf12bb49573729 Mon Sep 17 00:00:00 2001
From: Esa Jokinen <58781154+oh2fih@users.noreply.github.com>
Date: Thu, 6 Jun 2024 17:38:06 +0300
Subject: [PATCH 2/2] users_ldap_groups update docstring on operators()

Co-authored-by: Hpar <raph@hpar.fr>
---
 users_ldap_groups/models/res_company_ldap_operator.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/users_ldap_groups/models/res_company_ldap_operator.py b/users_ldap_groups/models/res_company_ldap_operator.py
index d8bde5b8ab..fedafa9115 100644
--- a/users_ldap_groups/models/res_company_ldap_operator.py
+++ b/users_ldap_groups/models/res_company_ldap_operator.py
@@ -17,7 +17,7 @@ class ResCompanyLdapOperator(models.AbstractModel):
 
     @api.model
     def operators(self):
-        """Return names of function to call on this model as operator"""
+        """Return names (without '_') of function to call on this model as operator"""
         return ("contains", "equals", "query")
 
     def _contains(self, ldap_entry, mapping):