Uploaded image for project: 'Hippo Repository'
  1. Hippo Repository
  2. REPO-1912

SecurityManager doesn't sanitize userId in case of external providers to get memberships

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.2.0
    • Similar issues:

      Description

      Consider method SecurityManager#getMemberships on master:

      private Set<String> getMemberships(String rawUserId, String providerId) {
          try {
              if (providers.containsKey(providerId)) {
                  // bug: no sanitizeUserId here!
                  return providers.get(providerId).getGroupManager().getMembershipIds(rawUserId);
              } else {
                  return providers.get(INTERNAL_PROVIDER).getGroupManager().getMembershipIds(sanitizeUserId(rawUserId, providerId));
              }
          } catch (RepositoryException e) {
              log.warn("Unable to get memberships for userId: " + rawUserId, e);
              return null;
          }
      }
      

      Only in the "else" branch, sanitizeUserId(rawUserId), is called. It checks for case sensitivity on the providers user manager.

      Not sanitizing the raw user id for non-internal providers breaks the login functionality for an external provider with case-insensitive LDAP integration.

      A client's use case with this set up needed to fork the class with an extra sanitizeUserId() call in the "if" branch to work.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                clientserviceteam Client Service Team
                Reporter:
                jhoffman Jeroen Hoffman
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: