Merge pull request #3754 from semaphoreui/fix/ldap_filter_injection

fix(ldap): issue with filter injection

Author: fiftin

api/login.go

@@ -72,7 +72,7 @@ func tryFindLDAPUser(username, password string) (*db.User, error) {
 	searchRequest := ldap.NewSearchRequest(
 		util.Config.LdapSearchDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		fmt.Sprintf(util.Config.LdapSearchFilter, username),
+		fmt.Sprintf(util.Config.LdapSearchFilter, ldap.EscapeFilter(username)),
 		[]string{util.Config.LdapMappings.DN},
 		nil,
 	)
@@ -105,7 +105,7 @@ func tryFindLDAPUser(username, password string) (*db.User, error) {
 	searchRequest = ldap.NewSearchRequest(
 		util.Config.LdapSearchDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		fmt.Sprintf(util.Config.LdapSearchFilter, username),
+		fmt.Sprintf(util.Config.LdapSearchFilter, ldap.EscapeFilter(username)),
 		[]string{util.Config.LdapMappings.DN, util.Config.LdapMappings.Mail, util.Config.LdapMappings.UID, util.Config.LdapMappings.CN},
 		nil,
 	)
@@ -333,7 +333,7 @@ func login(w http.ResponseWriter, r *http.Request) {
 				"context": "ldap",
 				"auth":    login.Auth,
 			}).Warn("Failed to find user in LDAP")
-			w.WriteHeader(http.StatusInternalServerError)
+			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}
 	}