[PR] [fix](ldap) Replace custom LDAP filter escaping with `LdapEncoder.filterEncode` to prevent injection vulnerabilities and add related documentation. [doris]

Mon, 23 Mar 2026 23:27:38 -0700 


seawinde opened a new pull request, #61662:
URL: https://github.com/apache/doris/pull/61662

   ### What problem does this PR solve?
   
   When constructing LDAP search filters, the {login} placeholder in 
ldap_user_filter and ldap_group_filter is replaced with the raw username. If 
the username contains LDAP filter special characters (*, (, ), \, NUL), these 
characters are interpreted as part of the filter syntax rather than literal 
values, which may cause unexpected query behavior or incorrect search results.
   
   This PR ensures all {login} substitutions are properly escaped per RFC 4515 
using Spring LDAP's built-in LdapEncoder.filterEncode(), covering both the 
fe-core main authentication path and the fe-authentication plugin path.
   
   Issue Number: close #xxx
   
   Related PR: #xxx
   
   Problem Summary:
   
   ### Release note
   
   None
   
   ### Check List (For Author)
   
   - Test <!-- At least one of them must be included. -->
       - [ ] Regression test
       - [x] Unit Test
       - [ ] Manual test (add detailed scripts or steps below)
       - [ ] No need to test or manual test. Explain why:
           - [ ] This is a refactor/code format and no logic has been changed.
           - [ ] Previous test can cover this change.
           - [ ] No code files have been changed.
           - [ ] Other reason <!-- Add your reason?  -->
   
   - Behavior changed:
       - [ ] No.
       - [ ] Yes. <!-- Explain the behavior change -->
   
   - Does this need documentation?
       - [ ] No.
       - [ ] Yes. <!-- Add document PR link here. eg: 
https://github.com/apache/doris-website/pull/1214 -->
   
   ### Check List (For Reviewer who merge this PR)
   
   - [ ] Confirm the release note
   - [ ] Confirm test cases
   - [ ] Confirm document
   - [ ] Add branch pick label <!-- Add branch pick label that this PR should 
merge into -->
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to