Skip to content

fix: escape NUL byte in LDAP filter values#122

Merged
henrist merged 1 commit intomasterfrom
fix/ldap-escape-null-byte
May 3, 2026
Merged

fix: escape NUL byte in LDAP filter values#122
henrist merged 1 commit intomasterfrom
fix/ldap-escape-null-byte

Conversation

@henrist
Copy link
Copy Markdown
Member

@henrist henrist commented May 3, 2026
edited by coderabbitai Bot
Loading

Summary

escape() called replace(0x0.toString(), "\\00"), but Int.toString() returns "0" — so every literal digit 0 in usernames/emails was replaced with \00. JNDI then DN-decoded \00 back to a real NUL byte and stored that in LDAP. Username leo04 was stored as leo<NUL>4 (leo\004 in DN form). The email-uniqueness check in CreateUser could also spuriously pass for emails containing 0.

Fix: replace the bogus marker with the actual NUL escape. Added EscapeSpec covering all five RFC 2254 special chars plus a regression case for the digit 0.

Cleanup needed (manual, post-merge)

  • Existing LDAP entries with NUL corruption in uid need to be renamed (e.g. leo<NUL>4leo04).
  • Worth scanning for any other affected users/emails containing the digit 0.

Test plan

  • ./gradlew test passes (couldn't run locally — no JDK in my env)
  • After merge: rename broken LDAP entries

Summary by CodeRabbit

Release Notes

  • Bug Fixes

    • Fixed NUL character escaping in LDAP queries to ensure proper RFC 2254 compliance.

  • Tests

    • Added comprehensive test suite for LDAP character escaping, validating proper handling of special characters including backslash, parentheses, asterisks, and null characters, plus regression tests for regular input.

@henrist @claude
fix: escape NUL byte in LDAP filter values
a724b27 
`0x0.toString()` evaluates to "0", so the digit `0` was being replaced
with `\00`. JNDI then DN-decoded `\00` to a real NUL byte — username
`leo04` ended up stored in LDAP as `leo<NUL>4` (`leo\004` in DN form).
Same corruption hit any email/username containing the digit 0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 3, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: df903657-b7b4-4ced-8d58-9e92bbde318c

📥 Commits

Reviewing files that changed from the base of the PR and between 2dfa762 and a724b27.

📒 Files selected for processing (2)
  • src/main/kotlin/no/foreningenbs/usersapi/ldap/Ldap.kt
  • src/test/kotlin/no/foreningenbs/usersapi/ldap/EscapeSpec.kt
📝 Walkthrough

Walkthrough

The LDAP escaping logic is updated to detect NUL characters using direct Unicode escape notation ("\u0000") instead of hex conversion (0x0.toString()). A comprehensive new test suite verifies RFC 2254 compliance for special characters, regression cases, and benign inputs.

Changes

LDAP NUL Character Escaping Fix

Layer / File(s) Summary
Core Implementation
src/main/kotlin/no/foreningenbs/usersapi/ldap/Ldap.kt		 NUL character detection in escape() function changes from .replace(0x0.toString(), "\\00") to .replace("\u0000", "\\00") for more reliable RFC 2254 compliance.
Test Coverage
src/test/kotlin/no/foreningenbs/usersapi/ldap/EscapeSpec.kt		 New Kotest EscapeSpec suite validates escaping of five RFC 2254 special characters including NUL, regression-checks digit preservation, and confirms benign input passthrough.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

🐰 A null character, once so hard to find,
Now caught with unicode, crystal and kind,
The escape function shines, RFC complies,
Tests bloom like clover—no bugs to disguise!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely describes the main fix: escaping NUL bytes in LDAP filter values, which is the core change across both the implementation and test files.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ldap-escape-null-byte

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 60 minutes.

Comment @coderabbitai help to get the list of available commands and usage tips.

@henrist henrist merged commit a02c027 into master May 3, 2026
5 checks passed
@henrist henrist deleted the fix/ldap-escape-null-byte branch May 3, 2026 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@henrist