CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
authorAndrew Bartlett <abartlet@samba.org>
Mon, 21 May 2018 03:25:58 +0000 (15:25 +1200)
committerKarolin Seeger <kseeger@samba.org>
Sat, 11 Aug 2018 06:16:04 +0000 (08:16 +0200)
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

lib/ldb/tests/python/api.py

index a62b241444b98950573aef5ee28a72d1621ff4da..48fac887f1cb437d1eeb397d43994731095fc697 100755 (executable)
@@ -401,6 +401,19 @@ class SimpleLdb(LdbBaseTest):
         finally:
             l.delete(ldb.Dn(l, "dc=bar"))
 
+    def test_rename_bad_string_dns(self):
+        l = ldb.Ldb(self.url(), flags=self.flags())
+        m = ldb.Message()
+        m.dn = ldb.Dn(l, "dc=foo8")
+        m["bla"] = b"bla"
+        m["objectUUID"] = b"0123456789abcdef"
+        self.assertEqual(len(l.search()), 0)
+        l.add(m)
+        self.assertEqual(len(l.search()), 1)
+        self.assertRaises(ldb.LdbError,lambda: l.rename("dcXfoo8", "dc=bar"))
+        self.assertRaises(ldb.LdbError,lambda: l.rename("dc=foo8", "dcXbar"))
+        l.delete(ldb.Dn(l, "dc=foo8"))
+
     def test_empty_dn(self):
         l = ldb.Ldb(self.url(), flags=self.flags())
         self.assertEqual(0, len(l.search()))
@@ -1143,6 +1156,110 @@ class SearchTests(LdbBaseTest):
         # At some point we should fix this, but it isn't trivial
         self.assertEqual(len(res11), 1)
 
+    def test_distinguishedName_filter_one(self):
+        """Testing that a distinguishedName= filter succeeds
+        when the scope is SCOPE_ONELEVEL.
+
+        This should be made more consistent, but for now lock in
+        the behaviour
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_ONELEVEL,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+        self.assertEqual(len(res11), 1)
+
+    def test_distinguishedName_filter_subtree(self):
+        """Testing that a distinguishedName= filter succeeds
+        when the scope is SCOPE_SUBTREE"""
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_SUBTREE,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+        self.assertEqual(len(res11), 1)
+
+    def test_distinguishedName_filter_base(self):
+        """Testing that (incorrectly) a distinguishedName= filter works
+        when the scope is SCOPE_BASE"""
+
+        res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_BASE,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+
+        # At some point we should fix this, but it isn't trivial
+        self.assertEqual(len(res11), 1)
+
+    def test_bad_dn_filter_base(self):
+        """Testing that a dn= filter on an invalid DN works
+        when the scope is SCOPE_BASE but
+        returns zero results"""
+
+        res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_BASE,
+                              expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+
+        # At some point we should fix this, but it isn't trivial
+        self.assertEqual(len(res11), 0)
+
+
+    def test_bad_dn_filter_one(self):
+        """Testing that a dn= filter succeeds but returns zero
+        results when the DN is not valid on a SCOPE_ONELEVEL search
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_ONELEVEL,
+                              expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+        self.assertEqual(len(res11), 0)
+
+    def test_bad_dn_filter_subtree(self):
+        """Testing that a dn= filter succeeds but returns zero
+        results when the DN is not valid on a SCOPE_SUBTREE search
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_SUBTREE,
+                              expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+        self.assertEqual(len(res11), 0)
+
+    def test_bad_distinguishedName_filter_base(self):
+        """Testing that a distinguishedName= filter on an invalid DN works
+        when the scope is SCOPE_BASE but
+        returns zero results"""
+
+        res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_BASE,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+
+        # At some point we should fix this, but it isn't trivial
+        self.assertEqual(len(res11), 0)
+
+
+    def test_bad_distinguishedName_filter_one(self):
+        """Testing that a distinguishedName= filter succeeds but returns zero
+        results when the DN is not valid on a SCOPE_ONELEVEL search
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_ONELEVEL,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+        self.assertEqual(len(res11), 0)
+
+    def test_bad_distinguishedName_filter_subtree(self):
+        """Testing that a distinguishedName= filter succeeds but returns zero
+        results when the DN is not valid on a SCOPE_SUBTREE search
+
+        """
+
+        res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+                              scope=ldb.SCOPE_SUBTREE,
+                              expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+        self.assertEqual(len(res11), 0)
+
 
 class IndexedSearchTests(SearchTests):
     """Test searches using the index, to ensure the index doesn't
@@ -1291,6 +1408,17 @@ class AddModifyTests(LdbBaseTest):
             enum = err.args[0]
             self.assertEqual(enum, ldb.ERR_ENTRY_ALREADY_EXISTS)
 
+    def test_add_bad(self):
+        try:
+            self.l.add({"dn": "BAD,DC=SAMBA,DC=ORG",
+                        "name": b"Admins",
+                        "x": "z", "y": "a",
+                        "objectUUID": b"0123456789abcde1"})
+            self.fail("Should have failed adding entry with invalid DN")
+        except ldb.LdbError as err:
+            enum = err.args[0]
+            self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
     def test_add_del_add(self):
         self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG",
                     "name": b"Admins",
@@ -1372,6 +1500,34 @@ class AddModifyTests(LdbBaseTest):
             enum = err.args[0]
             self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
 
+    def test_move_bad(self):
+        self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG",
+                    "name": b"Admins",
+                    "x": "z", "y": "a",
+                    "objectUUID": b"0123456789abcde2"})
+
+        try:
+            self.l.rename("OUXDUP,DC=SAMBA,DC=ORG",
+                          "OU=DUP2,DC=SAMBA,DC=ORG")
+            self.fail("Should have failed on invalid DN")
+        except ldb.LdbError as err:
+            enum = err.args[0]
+            self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
+    def test_move_bad2(self):
+        self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG",
+                    "name": b"Admins",
+                    "x": "z", "y": "a",
+                    "objectUUID": b"0123456789abcde2"})
+
+        try:
+            self.l.rename("OU=DUP,DC=SAMBA,DC=ORG",
+                          "OUXDUP2,DC=SAMBA,DC=ORG")
+            self.fail("Should have failed on missing")
+        except ldb.LdbError as err:
+            enum = err.args[0]
+            self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
     def test_move_fail_move_add(self):
         self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG",
                     "name": b"Admins",