[16.0][FIX] users_ldap_groups: vulnerability

res.company.ldap.operator operators should be private methods; public methods allow arbitrary LDAP queries via JSON-API
OCA · Feb 23, 2024 · 8911464 · 8911464
1 parent 1c9f8c6
commit 8911464
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/users_ldap_groups/models/res_company_ldap.py b/users_ldap_groups/models/res_company_ldap.py
@@ -48,7 +48,7 @@ def _get_or_create_user(self, conf, login, ldap_entry):
             _logger.debug("deleting all groups from user %d", user_id)
             groups.append((5, False, False))
         for mapping in this.group_mapping_ids:
-            operator = getattr(op_obj, mapping.operator)
+            operator = getattr(op_obj, f'_{mapping.operator}')
             _logger.debug("checking mapping %s", mapping)
             if operator(ldap_entry, mapping):
                 _logger.debug(

diff --git a/users_ldap_groups/models/res_company_ldap_operator.py b/users_ldap_groups/models/res_company_ldap_operator.py
@@ -20,17 +20,17 @@ def operators(self):
         """Return names of function to call on this model as operator"""
         return ("contains", "equals", "query")
 
-    def contains(self, ldap_entry, mapping):
+    def _contains(self, ldap_entry, mapping):
         return mapping.ldap_attribute in ldap_entry[1] and mapping.value in map(
             lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]
         )
 
-    def equals(self, ldap_entry, mapping):
+    def _equals(self, ldap_entry, mapping):
         return mapping.ldap_attribute in ldap_entry[1] and mapping.value == str(
             list(map(lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]))
         )
 
-    def query(self, ldap_entry, mapping):
+    def _query(self, ldap_entry, mapping):
         query_string = Template(mapping.value).safe_substitute(
             {
                 attr: self.safe_ldap_decode(ldap_entry[1][attr][0])