|
1 | 1 | #include <library/cpp/testing/unittest/registar.h> |
| 2 | +#include <util/generic/strbuf.h> |
2 | 3 | #include "ldap_utils.h" |
3 | 4 |
|
4 | 5 | namespace NKikimr { |
@@ -60,6 +61,47 @@ Y_UNIT_TEST_SUITE(TLdapUtilsSearchFilterCreatorTest) { |
60 | 61 | const TString filter = filterCreator.GetFilter(login); |
61 | 62 | UNIT_ASSERT_STRINGS_EQUAL(expectedFilter, filter); |
62 | 63 | } |
| 64 | + |
| 65 | + Y_UNIT_TEST(EscapeSpecialCharsInDefaultUidFilter) { |
| 66 | + NKikimrProto::TLdapAuthentication settings; |
| 67 | + TSearchFilterCreator filterCreator(settings); |
| 68 | + static constexpr char LOGIN_BYTES[] = {'u', '*', '(', ')', '\\', '\0', 'x'}; |
| 69 | + const TString login(TStringBuf(LOGIN_BYTES, sizeof(LOGIN_BYTES))); |
| 70 | + const TString filter = filterCreator.GetFilter(login); |
| 71 | + UNIT_ASSERT_STRINGS_EQUAL(R"(uid=u\2a\28\29\5c\00x)", filter); |
| 72 | + } |
| 73 | + |
| 74 | + Y_UNIT_TEST(EscapeSpecialCharsInSearchAttributeFilter) { |
| 75 | + NKikimrProto::TLdapAuthentication settings; |
| 76 | + settings.SetSearchAttribute("mail"); |
| 77 | + TSearchFilterCreator filterCreator(settings); |
| 78 | + const TString login("a)admin"); |
| 79 | + const TString filter = filterCreator.GetFilter(login); |
| 80 | + UNIT_ASSERT_STRINGS_EQUAL(R"(mail=a\29admin)", filter); |
| 81 | + } |
| 82 | + |
| 83 | + Y_UNIT_TEST(EscapeInjectionInTemplatePlaceholder) { |
| 84 | + NKikimrProto::TLdapAuthentication settings; |
| 85 | + settings.SetSearchFilter("(&(uid=$username)(objectClass=person))"); |
| 86 | + TSearchFilterCreator filterCreator(settings); |
| 87 | + const TString login(")(|(uid=*"); |
| 88 | + const TString filter = filterCreator.GetFilter(login); |
| 89 | + UNIT_ASSERT_STRINGS_EQUAL("(&(uid=\\29\\28|\\28uid=\\2a)(objectClass=person))", filter); |
| 90 | + } |
| 91 | + |
| 92 | + Y_UNIT_TEST(EscapeSpecialCharsWithTwoUsernamePlaceholders) { |
| 93 | + auto getFilterString = [](const TString& name) { |
| 94 | + return "|(&(uid=" + name + ")(groupid=1234))(&(login=" + name + ")(groupid=9876))"; |
| 95 | + }; |
| 96 | + NKikimrProto::TLdapAuthentication settings; |
| 97 | + settings.SetSearchFilter(getFilterString("$username")); |
| 98 | + TSearchFilterCreator filterCreator(settings); |
| 99 | + const TString login(")(|(uid=*"); |
| 100 | + const TString filter = filterCreator.GetFilter(login); |
| 101 | + const TString escaped = "\\29\\28|\\28uid=\\2a"; |
| 102 | + const TString expected = "|(&(uid=" + escaped + ")(groupid=1234))(&(login=" + escaped + ")(groupid=9876))"; |
| 103 | + UNIT_ASSERT_STRINGS_EQUAL(expected, filter); |
| 104 | + } |
63 | 105 | } |
64 | 106 |
|
65 | 107 | Y_UNIT_TEST_SUITE(TLdapUtilsUrisCreatorTest) { |
|
0 commit comments