From 9ab8bf3cacbef319b8439145b9e90af9aaff7f68 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 21 Aug 2022 20:46:41 +0200 Subject: [PATCH] Fix crash in LDAP authentication Since https://github.com/vesse/node-ldapauth-fork/commit /741a648df98d789856b3301d65103b74872fdeea, ldapauth-fork calls `push` on the attributes array. Since we deep-freeze our config object in https://github .com/hedgedoc/hedgedoc/blob/master/lib/config/index.js#L200, this causes a crash. This commit fixes the crash by creating a mutable clone of the LDAP config and passing that to the LDAP strategy. Fixes https://github.com/hedgedoc/hedgedoc/issues/2561 Signed-off-by: David Mehren --- lib/web/auth/ldap/index.js | 18 +++++++++++------- public/docs/release-notes.md | 2 +- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/lib/web/auth/ldap/index.js b/lib/web/auth/ldap/index.js index a780df2b3..f41a451d7 100644 --- a/lib/web/auth/ldap/index.js +++ b/lib/web/auth/ldap/index.js @@ -8,18 +8,22 @@ const models = require('../../../models') const logger = require('../../../logger') const { urlencodedParser } = require('../../utils') const errors = require('../../../errors') +const { cloneDeep } = require('lodash') const ldapAuth = module.exports = Router() +// ldapauth-fork mutates the config object, so we need to make a clone of our deep-frozen config +const mutableLdapConfig = cloneDeep(config.ldap) + passport.use(new LDAPStrategy({ server: { - url: config.ldap.url || null, - bindDN: config.ldap.bindDn || null, - bindCredentials: config.ldap.bindCredentials || null, - searchBase: config.ldap.searchBase || null, - searchFilter: config.ldap.searchFilter || null, - searchAttributes: config.ldap.searchAttributes || null, - tlsOptions: config.ldap.tlsOptions || null + url: mutableLdapConfig.url || null, + bindDN: mutableLdapConfig.bindDn || null, + bindCredentials: mutableLdapConfig.bindCredentials || null, + searchBase: mutableLdapConfig.searchBase || null, + searchFilter: mutableLdapConfig.searchFilter || null, + searchAttributes: mutableLdapConfig.searchAttributes || null, + tlsOptions: mutableLdapConfig.tlsOptions || null } }, function (user, done) { let uuid = user.uidNumber || user.uid || user.sAMAccountName || undefined diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md index ef11d68b1..8a2529ded 100644 --- a/public/docs/release-notes.md +++ b/public/docs/release-notes.md @@ -5,7 +5,7 @@ - Add dark mode toggle in mobile view ### Bugfixes - +- Fix a crash when using LDAP authentication with custom search attributes (thanks to [@aboettger-tuhh](https://github.com/aboettger-tuhh) for reporting) ## 1.9.4 2022-07-10