github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-24 18:56:32 -05:00
Code Issues Projects Releases Packages Wiki Activity

Fix crash in LDAP authentication

Browse source 
Since https://github.com/vesse/node-ldapauth-fork/commit
/741a648df98d789856b3301d65103b74872fdeea, ldapauth-fork calls `push` on
 the attributes array.

 Since we deep-freeze our config object in https://github
 .com/hedgedoc/hedgedoc/blob/master/lib/config/index.js#L200, this
 causes a crash.

 This commit fixes the crash by creating a mutable clone of the LDAP
 config and passing that to the LDAP strategy.

 Fixes https://github.com/hedgedoc/hedgedoc/issues/2561

Signed-off-by: David Mehren <git@herrmehren.de>
This commit is contained in:
David Mehren 2022-08-21 20:46:41 +02:00
parent 58f321ce29
commit 9ab8bf3cac
2 changed files with 12 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
lib/web/auth/ldap/index.js
View file

@ -8,18 +8,22 @@ const models = require('../../../models')
const logger = require('../../../logger') const logger = require('../../../logger')
const { urlencodedParser } = require('../../utils') const { urlencodedParser } = require('../../utils')
const errors = require('../../../errors') const errors = require('../../../errors')
const { cloneDeep } = require('lodash')
const ldapAuth = module.exports = Router() const ldapAuth = module.exports = Router()
// ldapauth-fork mutates the config object, so we need to make a clone of our deep-frozen config
const mutableLdapConfig = cloneDeep(config.ldap)
passport.use(new LDAPStrategy({ passport.use(new LDAPStrategy({
server: { server: {
url: config.ldap.url || null, url: mutableLdapConfig.url || null,
bindDN: config.ldap.bindDn || null, bindDN: mutableLdapConfig.bindDn || null,
bindCredentials: config.ldap.bindCredentials || null, bindCredentials: mutableLdapConfig.bindCredentials || null,
searchBase: config.ldap.searchBase || null, searchBase: mutableLdapConfig.searchBase || null,
searchFilter: config.ldap.searchFilter || null, searchFilter: mutableLdapConfig.searchFilter || null,
searchAttributes: config.ldap.searchAttributes || null, searchAttributes: mutableLdapConfig.searchAttributes || null,
tlsOptions: config.ldap.tlsOptions || null tlsOptions: mutableLdapConfig.tlsOptions || null
} }
}, function (user, done) { }, function (user, done) {
let uuid = user.uidNumber || user.uid || user.sAMAccountName || undefined let uuid = user.uidNumber || user.uid || user.sAMAccountName || undefined

2
public/docs/release-notes.md
View file

@ -5,7 +5,7 @@
- Add dark mode toggle in mobile view - Add dark mode toggle in mobile view
### Bugfixes ### Bugfixes
- Fix a crash when using LDAP authentication with custom search attributes (thanks to [@aboettger-tuhh](https://github.com/aboettger-tuhh) for reporting)
## <i class="fa fa-tag"></i> 1.9.4 <i class="fa fa-calendar-o"></i> 2022-07-10 ## <i class="fa fa-tag"></i> 1.9.4 <i class="fa fa-calendar-o"></i> 2022-07-10