fix security alert #51

marle3003 · marle3003 · commit ff2d4242484d · 2025-12-15T15:10:54.000+01:00
diff --git a/providers/directory/search.go b/providers/directory/search.go
@@ -562,7 +562,10 @@ func sidToBytes(sid string) ([]byte, error) {
 	// Revision
 	rev, revErr := strconv.ParseUint(parts[0], 10, 32)
 	if revErr != nil {
-		return nil, fmt.Errorf("invalid uint value %v at position: %v", parts[0], 0)
+		return nil, fmt.Errorf("invalid SID revision value value '%v' at position: %v", parts[0], 0)
+	}
+	if rev > 255 {
+		return nil, fmt.Errorf("SID revision value '%v' out of byte range (0-255) at position: %v", parts[1], 0)
 	}
 	result = append(result, byte(rev))
 
diff --git a/providers/directory/search_test.go b/providers/directory/search_test.go
@@ -281,6 +281,66 @@ objectSid:: AQUAAAAAAAUVAAAAF8sUcR3r8QcekDXQw9wAAA==
 				require.Equal(t, "cn=user1", res.Results[0].Dn)
 			},
 		},
+		{
+			name:  "ldap filter objectSid using AD style with invalid revision",
+			input: `{ "files": [ "./users.ldif" ] }`,
+			reader: &dynamictest.Reader{Data: map[string]*dynamic.Config{
+				"file:/users.ldif": {Raw: []byte(`
+dn:
+namingContexts: dc=example_domain_name
+subschemaSubentry: cn=schema
+
+dn: cn=schema
+objectClass: top
+objectClass: subschema
+attributeTypes: ( 1.2.3.4.5.6.7.8 NAME 'objectSid' DESC 'objectSid' EQUALITY activeDirectoryObjectSidMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+`)},
+			}},
+			test: func(t *testing.T, h ldap.Handler, log *test.Hook, err error) {
+				require.NoError(t, err)
+
+				rr := ldaptest.NewRecorder()
+				h.ServeLDAP(rr, ldaptest.NewRequest(0, &ldap.SearchRequest{
+					Scope:  ldap.ScopeWholeSubtree,
+					Filter: fmt.Sprintf("(objectSid=S-foo-5-21-1234567890-1234567890-1234567890-1001)"),
+				}))
+				res := rr.Message.(*ldap.SearchResponse)
+
+				require.Len(t, res.Results, 0)
+				require.Len(t, log.Entries, 2)
+				require.Equal(t, "ldap: filter syntax error: invalid SID 'S-foo-5-21-1234567890-1234567890-1234567890-1001': invalid SID revision value value 'foo' at position: 0", log.Entries[1].Message)
+			},
+		},
+		{
+			name:  "ldap filter objectSid using AD style with revision to high",
+			input: `{ "files": [ "./users.ldif" ] }`,
+			reader: &dynamictest.Reader{Data: map[string]*dynamic.Config{
+				"file:/users.ldif": {Raw: []byte(`
+dn:
+namingContexts: dc=example_domain_name
+subschemaSubentry: cn=schema
+
+dn: cn=schema
+objectClass: top
+objectClass: subschema
+attributeTypes: ( 1.2.3.4.5.6.7.8 NAME 'objectSid' DESC 'objectSid' EQUALITY activeDirectoryObjectSidMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+`)},
+			}},
+			test: func(t *testing.T, h ldap.Handler, log *test.Hook, err error) {
+				require.NoError(t, err)
+
+				rr := ldaptest.NewRecorder()
+				h.ServeLDAP(rr, ldaptest.NewRequest(0, &ldap.SearchRequest{
+					Scope:  ldap.ScopeWholeSubtree,
+					Filter: fmt.Sprintf("(objectSid=S-300-5-21-1234567890-1234567890-1234567890-1001)"),
+				}))
+				res := rr.Message.(*ldap.SearchResponse)
+
+				require.Len(t, res.Results, 0)
+				require.Len(t, log.Entries, 2)
+				require.Equal(t, "ldap: filter syntax error: invalid SID 'S-300-5-21-1234567890-1234567890-1234567890-1001': SID revision value '5' out of byte range (0-255) at position: 0", log.Entries[1].Message)
+			},
+		},
 		{
 			name:  "ldap filter objectSid using AD style with invalid authId",
 			input: `{ "files": [ "./users.ldif" ] }`,
