Details
-
Improvement
-
Resolution: Fixed
-
Minor
-
None
-
None
-
None
Description
@Shilen Patel one thing that bothers me is the filters. I think these are generic. i.e. a SQL filter could be a col=value or a where clause. Or a WS could have an attribute=value .But dont we need to escape things? i.e.
FROM
provisioner.ldapProvTest.groupSearchFilter = (&(objectClass=groupOfNames)(businessCategory=${targetGroup.retrieveAttributeValue('businessCategory')}))
TO
provisioner.ldapProvTest.groupSearchFilter = (&(objectClass=groupOfNames)(businessCategory=?))
provisioner.ldapProvTest.groupSearchFilterBindVariable0 = ${targetGroup.retrieveAttributeValue('businessCategory')}
Then the DAO can escape the bind variable somehow? (edited)
Shilen Patel 12:31 PM
yeah that sounds reasonable to me. it can always escape the bind variables, is there a case where it shouldn't?
Chris Hyzer 12:35 PM
if you dont list any like in the first situation? :slightly_smiling_face: how do you escape an ldap "bind var"? :slightly_smiling_face: Should I add that in there?
Shilen Patel 12:37 PM
yeah it's probably good practice to make sure it's escaped even if for most people they'd be searching for strings/ints that don't need escaping
New
Shilen Patel 12:42 PM
LoaderLdapUtils.escapeSearchFilter(string) probably should be copied somewhere else
12:43
same with the dn escaping. i think in my example i just used a jndi method. but we should put that in our own util class?