fix panic for ParseDN with invalid input

merlinz01 · Jul 15, 2024 · 7f4d92f · 7f4d92f
1 parent 5369e6d
commit 7f4d92f
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/dn.go b/dn.go
@@ -209,6 +209,9 @@ func ParseDN(s string) (DN, error) {
 		var r RDN
 		for _, attr := range splitAttrs(rdn) {
 			parts := splitAttr(attr)
+			if len(parts) < 2 {
+				return nil, ErrInvalidDN
+			}
 			value, err := DecodeRDNAttributeValue(parts[1])
 			if err != nil {
 				return nil, err

diff --git a/dn_test.go b/dn_test.go
@@ -47,6 +47,38 @@ func TestEncodeDN(t *testing.T) {
 	}
 }
 
+func TestParseDN(t *testing.T) {
+	type dnTest struct {
+		dnStr string
+		dn    ldapserver.DN
+		err   error
+	}
+	tests := []dnTest{
+		{"uid=jdoe,ou=users,dc=example,dc=com",
+			ldapserver.DN{{{"dc", "com"}}, {{"dc", "example"}}, {{"ou", "users"}}, {{"uid", "jdoe"}}}, nil},
+		{"UID=jsmith,DC=example,DC=net",
+			ldapserver.DN{{{"DC", "net"}}, {{"DC", "example"}}, {{"UID", "jsmith"}}}, nil},
+		{"CN=J.  Smith+OU=Sales,DC=example,DC=net",
+			ldapserver.DN{{{"DC", "net"}}, {{"DC", "example"}}, {{"CN", "J.  Smith"}, {"OU", "Sales"}}}, nil},
+		{"CN=James \\\"Jim\\\" Smith,DC=example,DC=net",
+			ldapserver.DN{{{"DC", "net"}}, {{"DC", "example"}}, {{"CN", "James \"Jim\" Smith"}}}, nil},
+		{"CN=Before\\0DAfter,DC=example,DC=net",
+			ldapserver.DN{{{"DC", "net"}}, {{"DC", "example"}}, {{"CN", "Before\rAfter"}}}, nil},
+		{"CN=,DC=,DC=", ldapserver.DN{{{"DC", ""}}, {{"DC", ""}}, {{"CN", ""}}}, nil},
+		{"CN", nil, ldapserver.ErrInvalidDN},
+		{"CN=J. Smith,OU=Sales,DC=example,DC", nil, ldapserver.ErrInvalidDN},
+	}
+	for _, dn := range tests {
+		pdn, err := ldapserver.ParseDN(dn.dnStr)
+		if err != dn.err {
+			t.Fatalf("Error parsing DN: %s", err)
+		} else if !pdn.Equal(dn.dn) {
+			t.Errorf("Expected %s", dn.dn)
+			t.Fatalf("Got      %s", pdn)
+		}
+	}
+}
+
 func TestDNIsChild(t *testing.T) {
 	type childTest struct {
 		child   string

diff --git a/errors.go b/errors.go
@@ -42,3 +42,4 @@ var ErrTLSAlreadySetUp = &LDAPError{message: "TLS already set up"}
 var ErrTLSNotAvailable = &LDAPError{message: "TLS not available"}
 var ErrWrongElementType = &LDAPError{message: "wrong element type"}
 var ErrWrongSequenceLength = &LDAPError{message: "wrong sequence length"}
+var ErrInvalidDN = &LDAPError{message: "invalid DN"}