Merge pull request #659 from oh2fih/16.0-jsonrpc-vuln

[16.0][FIX] users_ldap_groups JSON RPC vulnerability
OCA · Jun 6, 2024 · 7f5ae4c · 7f5ae4c
2 parents 1e8e386 + 5307f85
commit 7f5ae4c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/users_ldap_groups/models/res_company_ldap.py b/users_ldap_groups/models/res_company_ldap.py
@@ -48,7 +48,7 @@ def _get_or_create_user(self, conf, login, ldap_entry):
             _logger.debug("deleting all groups from user %d", user_id)
             groups.append((5, False, False))
         for mapping in this.group_mapping_ids:
-            operator = getattr(op_obj, mapping.operator)
+            operator = getattr(op_obj, f"_{mapping.operator}")
             _logger.debug("checking mapping %s", mapping)
             if operator(ldap_entry, mapping):
                 _logger.debug(

diff --git a/users_ldap_groups/models/res_company_ldap_operator.py b/users_ldap_groups/models/res_company_ldap_operator.py
@@ -17,20 +17,20 @@ class ResCompanyLdapOperator(models.AbstractModel):
 
     @api.model
     def operators(self):
-        """Return names of function to call on this model as operator"""
+        """Return names (without '_') of function to call on this model as operator"""
         return ("contains", "equals", "query")
 
-    def contains(self, ldap_entry, mapping):
+    def _contains(self, ldap_entry, mapping):
         return mapping.ldap_attribute in ldap_entry[1] and mapping.value in map(
             lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]
         )
 
-    def equals(self, ldap_entry, mapping):
+    def _equals(self, ldap_entry, mapping):
         return mapping.ldap_attribute in ldap_entry[1] and mapping.value == str(
             list(map(lambda x: x.decode(), ldap_entry[1][mapping.ldap_attribute]))
         )
 
-    def query(self, ldap_entry, mapping):
+    def _query(self, ldap_entry, mapping):
         query_string = Template(mapping.value).safe_substitute(
             {attr: ldap_entry[1][attr][0].decode() for attr in ldap_entry[1]}
         )