Bug 1721425

Summary: 389 should assert that filters conform to schema
Product: Red Hat Enterprise Linux 8 Reporter: thierry bordaz <tbordaz>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: bsmejkal, mreynolds, msauton, nkinder, pasik, spichugi, tbordaz, tmihinto, tscherf, vashirov
Target Milestone: rcKeywords: TestCaseProvided
Target Release: 8.2Flags: vashirov: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766 Doc Type: Bug Fix
Doc Text:
Cause: Using search filters that contain attributes that do not exist in the servers schema. Consequence: These filter are invlaid and will almost always be unindexed. Fix: Log a message when this occurs, and also added a new config setting to control how the server handles these filters Result: An admin can be notified when a client is using invalid filters, and has the option to reject these filters.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:07:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description thierry bordaz 2019-06-18 09:29:49 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/50349

#### Issue Description
389 Should assert that all attributes in a filter are present and valid in schema. If there are attributes in a filter that are not in schema, this can lead to DOS due to fall-back to un-indexed scans, and it also can mask and cover-up application and development issues with queries. For example, the referenced case was caused by IPA mistakenly searching an attribute that can never be satisfied by ACI/filter. 

This should optionally be allowed to be disabled, due to some sites that use things like extensibleObject that by nature, bypass and violate schema. 

https://pagure.io/389-ds-base/pull-request/50252#comment-85208
Comment 11 mreynolds 2020-06-22 22:22:47 UTC 
1843567 is now post, moving this bug to MODIFIED
Comment 14 mreynolds 2020-06-30 17:14:48 UTC 
design doc:

https://www.port389.org/docs/389ds/design/filter-syntax-validation.html
Comment 15 bsmejkal 2020-07-22 09:51:09 UTC 
=============================================================================================== test session starts ===============================================================================================
platform linux -- Python 3.6.8, pytest-5.4.3, py-1.9.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-221.el8.x86_64-x86_64-with-redhat-8.3-Ootpa', 'Packages': {'pytest': '5.4.3', 'py': '1.9.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.10.0', 'html': '2.1.1', 'libfaketime': '0.1.2'}}
389-ds-base: 1.4.3.8-4.module+el8.3.0+7193+dfd1e8ad
nss: 3.44.0-15.el8
nspr: 4.21.0-2.el8_0
openldap: 2.4.46-15.el8
cyrus-sasl: 2.1.27-5.el8
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, inifile: pytest.ini
plugins: metadata-1.10.0, html-2.1.1, libfaketime-0.1.2
collected 4 items                                                                                                                                                                                                 

dirsrvtests/tests/suites/filter/schema_validation_test.py::test_filter_validation_config PASSED                                                                                                             [ 25%]
dirsrvtests/tests/suites/filter/schema_validation_test.py::test_filter_validation_enabled PASSED                                                                                                            [ 50%]
dirsrvtests/tests/suites/filter/schema_validation_test.py::test_filter_validation_warn_safe PASSED                                                                                                          [ 75%]
dirsrvtests/tests/suites/filter/schema_validation_test.py::test_filter_validation_warn_unsafe PASSED                                                                                                        [100%]

=============================================================================================== 4 passed in 14.78s ===============================================================================================

Marking as VERIFIED.
Comment 18 errata-xmlrpc 2020-11-04 03:07:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:4695