mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-15 20:05:13 +02:00
14 lines
523 B
Ruby
14 lines
523 B
Ruby
# Unsafe: tainted Rails param interpolated into the LDAP filter passed to
|
|
# Net::LDAP#search. The receiver is constructed via Net::LDAP.new and
|
|
# carries TypeKind::LdapClient; type-qualified resolution rewrites
|
|
# `ldap.search` → `LdapClient.search`, firing LDAP_INJECTION.
|
|
require "net/ldap"
|
|
|
|
class UsersController
|
|
def lookup(params)
|
|
ldap = Net::LDAP.new(host: "ldap.example.com")
|
|
user = params[:user]
|
|
filter = "(uid=#{user})"
|
|
ldap.search(base: "ou=people,dc=example,dc=com", filter: filter)
|
|
end
|
|
end
|