nyx/tests/fixtures/ldap_injection/go/safe_ldap_search.go
2026-05-07 01:29:31 -04:00

27 lines
628 B
Go

// Safe: ldap.EscapeFilter applies RFC 4515 escaping before the user value
// is interpolated into the filter. Sanitizer(LDAP_INJECTION) clears the cap.
package ldap_safe
import (
"fmt"
"net/http"
"github.com/go-ldap/ldap/v3"
)
func Lookup(w http.ResponseWriter, r *http.Request) {
conn, _ := ldap.DialURL("ldap://example.com")
user := r.FormValue("user")
safe := ldap.EscapeFilter(user)
filter := fmt.Sprintf("(uid=%s)", safe)
req := ldap.NewSearchRequest(
"ou=people,dc=example,dc=com",
ldap.ScopeWholeSubtree,
ldap.NeverDerefAliases,
0, 0, false,
filter,
[]string{"cn"},
nil,
)
conn.Search(req)
}