(docker-based-examples) coder543#9 Updated example to use filter escaping, and

JedimEmO · JedimEmO · commit bc2c2122f913 · 2020-04-12T12:05:18.000+02:00
to protect against timing attacks for user discovery
diff --git a/examples/simple_bind_authentication/Cargo.toml b/examples/simple_bind_authentication/Cargo.toml
@@ -0,0 +1,11 @@
+[package]
+name = "simple_bind"
+version = "0.1.0"
+authors = ["Mathias Myrland <jedimemo@gmail.com>"]
+edition = "2018"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+clap = {git="https://github.com/clap-rs/clap.git"}
+openldap = { path = "../../" }
diff --git a/examples/simple_bind_authentication/src/main.rs b/examples/simple_bind_authentication/src/main.rs
@@ -62,14 +62,17 @@ fn do_simple_bind(
 }
 
 fn ldap_dn_lookup(ldap: &RustLDAP, who: &str) -> Result<String, LDAPError> {
+    // First, escape the who parameter to prevent LDAP injection attacks
+    let safe_who = escape_filter_assertion_value(who)?;
+
     // Show all DNs matching the description "Human"
     // ldap_search is a powerful query language, look at
     // https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
     // for an overview
     //
     // This particular filter allows the user to sign in with either
     // uid or email
-    let filter = format!("(|(uid={})(mail={}))", who, who);
+    let filter = format!("(|(uid={})(mail={}))", safe_who, safe_who);
 
     match ldap.ldap_search(
         "ou=people,dc=planetexpress,dc=com",
@@ -122,11 +125,15 @@ fn main() {
     // In our test scenario, the professor is the manager.
     do_simple_bind(&ldap, ldap_manager_dn, ldap_manager_pass).unwrap();
 
-    if let Ok(fry_dn) = ldap_dn_lookup(&ldap, user_to_authenticate.as_str()) {
-        // Now, perform a bind with the DN we found matching the user attempting to sign in
-        // and the password provided in the authentication request
-        do_simple_bind(&ldap, fry_dn.as_str(), pwd_to_authenticate.as_str()).unwrap();
+    let (dn, passwd, valid) = match ldap_dn_lookup(&ldap, user_to_authenticate.as_str()) {
+        Ok(fry_dn) => (fry_dn, pwd_to_authenticate, true),
+        _ => ("".into(), "".into(), false),
+    };
 
-        println!("Successfully signed in as fry");
+    // We do the simple bind regardless of the user existence, to protect against timing attacks
+    // to probe existing users
+    match do_simple_bind(&ldap, dn.as_str(), passwd.as_str()).is_ok() && valid {
+        true => println!("Successfully signed in as fry"),
+        false => println!("Could not log in"),
     }
 }
