Merge pull request from GHSA-4w46-w44m-3jq3

* strip password after authentication to prevent cleartext password storage * fixed forgotten testcase forcing ;-/ * added test to check if password is not stored in user record Co-authored-by: Fabian Strachanski <fabian@fastr.de>
2020-12-02 13:08:02 -08:00
parent 4dee0bc61e
commit da905a357d
2 changed files with 47 additions and 0 deletions
--- a/spec/LdapAuth.spec.js
+++ b/spec/LdapAuth.spec.js
@@ -211,3 +211,49 @@ it('Should fail if the LDAP server encounters an error while searching', done =>
      .finally(() => server.close());
  });
 });
+
+it('Should delete the password from authData after validation', done => {
+  mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example'
+    };
+
+    const authData = { id: 'testuser', password: 'secret' };
+
+    ldap
+      .validateAuthData(authData, options)
+      .then(() => {
+        expect(authData).toEqual({ id: 'testuser' });
+        done();
+      })
+      .catch(done.fail)
+      .finally(() => server.close());
+  });
+});
+
+it('Should not save the password in the user record after authentication', done => {
+  mockLdapServer(port, 'uid=testuser, o=example', true).then(server => {
+    const options = {
+      suffix: 'o=example',
+      url: `ldap://localhost:${port}`,
+      dn: 'uid={{id}}, o=example'
+    };
+    reconfigureServer({ auth: { ldap: options } }).then(() => {
+      const authData = { authData: { id: 'testuser', password: 'secret' } };
+      Parse.User.logInWith('ldap', authData).then((returnedUser) => {
+        const query = new Parse.Query("User");
+        query
+          .equalTo('objectId', returnedUser.id).first({ useMasterKey: true })
+          .then((user) => {
+            expect(user.get('authData')).toEqual({ ldap:{ id: 'testuser' }});
+            expect(user.get('authData').ldap.password).toBeUndefined();
+            done();
+          })
+          .catch(done.fail)
+          .finally(() => server.close())
+      })
+    });
+  });
+});
--- a/src/Adapters/Auth/ldap.js
+++ b/src/Adapters/Auth/ldap.js
@@ -23,6 +23,7 @@ function validateAuthData(authData, options) {

  return new Promise((resolve, reject) => {
    client.bind(userCn, authData.password, ldapError => {
+      delete(authData.password);
      if (ldapError) {
        let error;
        switch (ldapError.code) {