Fix LDAP Sanitization (mitmproxy#8178)

mhils · web-flow · commit 71c923405792 · 2026-04-12T21:14:46.000Z
This fixes GHSA-527g-3w9m-29hv.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,9 @@
 
 ## Unreleased: mitmproxy next
 
+- [GHSA-527g-3w9m-29hv](https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv):
+  Fix LDAP injection vulnerability reported by @yueyueL.
+  ([#8178](https://github.com/mitmproxy/mitmproxy/pull/8178), @mhils)
 - Fix addon options not being included in `--options` output.
   ([#4423](https://github.com/mitmproxy/mitmproxy/issues/4423))
 - Fix `view.settings.setval.toggle` command to correctly use the provided key parameter instead of hardcoded "key" string.
diff --git a/mitmproxy/addons/proxyauth.py b/mitmproxy/addons/proxyauth.py
@@ -281,10 +281,14 @@ def parse_spec(spec: str) -> tuple[bool, str, int | None, str, str, str, str]:
         except ValueError:
             raise exceptions.OptionsError(f"Invalid LDAP specification: {spec}")
 
+    def make_search_filter(self, username: str) -> str:
+        username = ldap3.utils.conv.escape_filter_chars(username)
+        return f"({self.filter_key}={username})"
+
     def __call__(self, username: str, password: str) -> bool:
         if not username or not password:
             return False
-        self.conn.search(self.dn_subtree, f"({self.filter_key}={username})")
+        self.conn.search(self.dn_subtree, self.make_search_filter(username))
         if self.conn.response:
             c = ldap3.Connection(
                 self.server, self.conn.response[0]["dn"], password, auto_bind=True
diff --git a/test/mitmproxy/addons/test_proxyauth.py b/test/mitmproxy/addons/test_proxyauth.py
@@ -269,3 +269,12 @@ def test_ldap(monkeypatch, spec):
     assert validator("foo", "bar")
     validator.conn.response = False
     assert not validator("foo", "bar")
+
+
+def test_ldap_username_sanitization(monkeypatch):
+    monkeypatch.setattr(ldap3, "Server", mock.MagicMock())
+    monkeypatch.setattr(ldap3, "Connection", mock.MagicMock())
+    validator = proxyauth.Ldap(
+        "ldaps:localhost:cn=default,dc=cdhdt,dc=com:password:ou=application,dc=cdhdt,dc=com"
+    )
+    assert validator.make_search_filter("*") == "(cn=\\2a)"
