Skip to content

fix: security and code quality improvements #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
guimard merged 3 commits into from
Jan 21, 2026
Merged

fix: security and code quality improvements #44

guimard merged 3 commits into from
Jan 21, 2026

Conversation

@guimard
Copy link
Member

@guimard guimard commented Jan 21, 2026

Summary

  • Fix LDAP injection vulnerabilities in organization.ts, groups.ts, and ldapFlat.ts by using escapeLdapFilter() for user-supplied query parameters
  • Mask unauthorized tokens in logs to prevent credential exposure (token.ts)
  • Extract duplicated regex caching utilities (getCompiledRegex, escapeRegex) from groups.ts and ldapFlat.ts into shared utils.ts
  • Add .catch() handlers to fire-and-forget hook calls in ldapActions.ts to prevent silent failures
  • Replace unbounded Map with LRUCache for attrSignatureCache to prevent memory leaks

Security fixes

LDAP Injection Prevention (Critical)

User-supplied query parameters were being directly interpolated into LDAP filters, allowing potential injection attacks:

Before:

filter: `(&(objectClass=organizationalUnit)(|(ou=*${query}*)(description=*${query}*)))`

After:

const escapedQuery = escapeLdapFilter(query);
filter: `(&(objectClass=organizationalUnit)(|(ou=*${escapedQuery}*)(description=*${escapedQuery}*)))`

Token Masking in Logs

Unauthorized tokens were logged in full, potentially exposing valid tokens:

Before:

this.logger.warn(`Unauthorized token: ${token}`);

After:

const maskedToken = token.length > 8 ? `${token.substring(0, 8)}...` : '***';
this.logger.warn(`Unauthorized token: ${maskedToken}`);

Code quality improvements

  • Shared regex caching utilities in utils.ts reduce code duplication
  • Hook error handling prevents silent failures
  • Bounded LRU cache prevents memory leaks

Test plan

  • Build passes (npm run build:dev)
  • Run existing tests
  • Manual testing of search endpoints with special characters

🤖 Generated with Claude Code

@guimard @claude
fix: security and code quality improvements
b7c5d38 
Security fixes:
- Fix LDAP injection vulnerabilities in organization.ts, groups.ts, and ldapFlat.ts
  by using escapeLdapFilter() for user-supplied query parameters
- Mask unauthorized tokens in logs to prevent credential exposure (token.ts)

Code quality improvements:
- Extract duplicated regex caching utilities (getCompiledRegex, escapeRegex)
  from groups.ts and ldapFlat.ts into shared utils.ts
- Add .catch() handlers to fire-and-forget hook calls in ldapActions.ts
  to prevent silent failures
- Replace unbounded Map with LRUCache for attrSignatureCache to prevent
  memory leaks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@guimard guimard self-assigned this Jan 21, 2026
@guimard guimard requested a review from Copilot January 21, 2026 20:26
@guimard @claude
fix: preserve backward compatibility for custom LDAP filters in group…
98087f7 
…s.ts

The previous commit inadvertently broke the custom filter functionality.
This commit restores the ability to use custom filters (with =) while:
- Keeping strict character validation for custom filters
- Escaping simple values to prevent LDAP injection

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Copilot AI reviewed Jan 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR implements security fixes for LDAP injection vulnerabilities and several code quality improvements. The changes add LDAP filter escaping, mask unauthorized tokens in logs, extract duplicated regex utilities, add error handling to hooks, and replace an unbounded Map with an LRU cache.

Changes:

  • Add escapeLdapFilter() function and apply it to user-supplied query parameters in LDAP searches
  • Mask unauthorized tokens in authentication logs to prevent credential exposure
  • Extract regex caching utilities (getCompiledRegex, escapeRegex) from class instances to shared utils
  • Add .catch() handlers to fire-and-forget hook calls for better error visibility
  • Replace unbounded attrSignatureCache Map with bounded LRUCache to prevent memory leaks

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/plugins/ldap/organization.ts Adds LDAP filter escaping for search queries to prevent injection attacks
src/plugins/ldap/groups.ts Applies LDAP filter escaping and removes duplicate regex utilities
src/plugins/auth/token.ts Masks unauthorized tokens in logs to prevent credential exposure
src/lib/utils.ts Adds shared regex caching utilities and LDAP escaping functions
src/lib/ldapActions.ts Replaces unbounded Map with LRU cache and adds hook error handlers
src/abstract/ldapFlat.ts Applies LDAP filter escaping and removes duplicate regex utilities

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/lib/utils.ts
Comment on lines +28 to +47
export function getCompiledRegex(pattern: string, flags?: string): RegExp {
const key = flags ? `${pattern}:${flags}` : pattern;
let regex = regexCache.get(key);
if (!regex) {
regex = new RegExp(pattern, flags);
regexCache.set(key, regex);
}
return regex;
}

/**
* Escape special regex characters in a string
* Useful when building dynamic regex patterns from user input
*
* @param str - The string to escape
* @returns The escaped string safe for use in RegExp
*/
export function escapeRegex(str: string): string {
return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}
Copy link

Copilot AI Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new regex caching utility functions (getCompiledRegex and escapeRegex) lack test coverage. While these are lower risk than security functions, they are shared across multiple plugins and should have unit tests to verify:

  1. Proper caching behavior (returns same RegExp instance for same pattern)
  2. Correct handling of flags parameter
  3. Proper escaping of all special regex characters in escapeRegex

Consider adding tests for these utility functions in a test file like test/lib/utils.test.ts.

Copilot uses AI. Check for mistakes.
@guimard @claude
fix: address Copilot review feedback
31f3143 
- Escape DN parameter in organization.ts search filter (LDAP injection fix)
- Replace escapeLdapFilter() with whitelist validation for LDAP attribute names
  in ldapFlat.ts (proper security pattern for attribute names)
- Add documentation clarifying regexCache is for static patterns only
- Fix prettier formatting in ldapFlat.ts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@guimard guimard merged commit 5b54438 into master Jan 21, 2026
5 checks passed
@guimard guimard deleted the fix/security-and-code-quality-improvements branch January 21, 2026 20:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@guimard guimard

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@guimard