[BugFix] Prevent LDAP Injection in authentication

Author: gulmetin

fe/fe-core/src/main/java/com/starrocks/mysql/security/LdapSecurity.java

@@ -97,7 +97,9 @@ public static boolean checkPasswordByRoot(String user, String password) {
             ctx = new InitialDirContext(env);
             SearchControls sc = new SearchControls();
             sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
-            String searchFilter = "(" + Config.authentication_ldap_simple_user_search_attr + "=" + user + ")";
+            // Escapes special characters in user input to prevent LDAP injection
+            String safeUser = escapeLdapValue(user);
+            String searchFilter = "(" + Config.authentication_ldap_simple_user_search_attr + "=" + safeUser + ")";
             NamingEnumeration<SearchResult> results = ctx.search(baseDN, searchFilter, sc);
 
             String userDN = null;
@@ -149,4 +151,18 @@ private static String trim(String src, String target) {
         }
         return src;
     }
+
+    public static String escapeLdapValue(String value) {
+        if (value == null) {
+            return null;
+        }
+
+        value = value.replace("\\", "\\5c");
+        value = value.replace("*", "\\2a");
+        value = value.replace("(", "\\28");
+        value = value.replace(")", "\\29");
+        value = value.replace("|", "\\7c");
+        value = value.replace("\\u0000", "\\00");
+        return value;
+    }
 }

fe/fe-core/src/test/java/com/starrocks/mysql/privilege/LdapSecurityTest.java

@@ -0,0 +1,57 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.starrocks.mysql.privilege;
+
+import com.starrocks.mysql.security.LdapSecurity;
+import org.junit.Assert;
+import org.junit.Test;
+
+
+public class LdapSecurityTest {
+
+    public LdapSecurity ldapSecurity;
+
+    @Test
+    public void testEscapeJava() {
+        String input = "admin)(|(uid=*";
+        String escaped = ldapSecurity.escapeLdapValue(input);
+        Assert.assertFalse(escaped.contains(")"));
+        Assert.assertFalse(escaped.contains("("));
+        Assert.assertFalse(escaped.contains("|"));
+        Assert.assertFalse(escaped.contains("*"));
+        Assert.assertFalse(escaped.contains("."));
+    }
+
+    @Test
+    public void testEscapeJava_NullInput() {
+        String input = null;
+        String escaped = ldapSecurity.escapeLdapValue(input);
+        Assert.assertNull(escaped);
+    }
+
+    @Test
+    public void testEscapeJava_EmptyString() {
+        String input = "";
+        String escaped = ldapSecurity.escapeLdapValue(input);
+        Assert.assertEquals("", escaped);
+    }
+
+    @Test
+    public void testEscapeJava_SpecialCharacters() {
+        String input = "cn=admin,dc=example,dc=com";
+        String escaped = ldapSecurity.escapeLdapValue(input);
+        Assert.assertEquals(input, escaped);
+    }
+}