Sanitize LDAP errors (2.0)

crates/defguard_certs/src/lib.rs

@@ -2,6 +2,7 @@ use std::{net::IpAddr, str::FromStr};
 
 use base64::{Engine, prelude::BASE64_STANDARD};
 use chrono::NaiveDateTime;
+pub use rcgen::ExtendedKeyUsagePurpose;
 use rcgen::{
     BasicConstraints, Certificate, CertificateParams, CertificateSigningRequestParams, IsCa,
     Issuer, KeyPair, KeyUsagePurpose, SigningKey, string::Ia5String,
@@ -14,8 +15,6 @@ use x509_parser::{
     parse_x509_certificate,
 };
 
-pub use rcgen::ExtendedKeyUsagePurpose;
-
 const CA_NAME: &str = "Defguard CA";
 const NOT_BEFORE_OFFSET_SECS: Duration = Duration::minutes(5);
 const DEFAULT_CERT_VALIDITY_DAYS: i64 = 1825;

crates/defguard_core/src/enterprise/ldap/error.rs

@@ -1,10 +1,22 @@
 use defguard_common::db::models::settings::SettingsSaveError;
 use thiserror::Error;
 
+/// Strips null bytes and non-printable control characters from LDAP error strings.
+/// LDAP server responses may embed raw binary data or null terminators in diagnostic
+/// fields (e.g. `LdapResult.text`, `LdapResult.matched`) that corrupt log output.
+pub(super) fn sanitize_ldap_string(s: &str) -> String {
+    s.chars()
+        .filter(|&c| c == '\n' || c == '\t' || !c.is_control())
+        .collect()
+}
+
 #[derive(Debug, Error)]
 pub enum LdapError {
+    /// Sanitized string representation of an ldap3 error. Stored as String (rather than
+    /// the original ldap3::LdapError) so null bytes and control chars are stripped once
+    /// at conversion time and can never surface through Display or Debug.
     #[error("LDAP error: {0}")]
-    Ldap(#[from] ldap3::LdapError),
+    Ldap(String),
     #[error("Object not found: {0}")]
     ObjectNotFound(String),
     #[error("Missing required LDAP settings: {0}")]
@@ -35,3 +47,38 @@ pub enum LdapError {
     #[error("User {0} does not belong to the defined synchronization groups in {1}")]
     UserNotInLDAPSyncGroups(String, &'static str),
 }
+
+impl From<ldap3::LdapError> for LdapError {
+    fn from(err: ldap3::LdapError) -> Self {
+        Self::Ldap(sanitize_ldap_string(&err.to_string()))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::sanitize_ldap_string;
+
+    #[test]
+    fn sanitize_ldap_string_strips_control_chars() {
+        // Null bytes, bells, and other control chars should be removed.
+        assert_eq!(sanitize_ldap_string("hello\0world"), "helloworld");
+        assert_eq!(sanitize_ldap_string("text\x01\x02\x03"), "text");
+        assert_eq!(
+            sanitize_ldap_string("rc=49, dn: \"\0\", text: \"invalid\0creds\""),
+            "rc=49, dn: \"\", text: \"invalidcreds\""
+        );
+
+        // Tabs and newlines should be kept.
+        assert_eq!(
+            sanitize_ldap_string("line1\nline2\ttabbed"),
+            "line1\nline2\ttabbed"
+        );
+
+        // Printable ASCII and Unicode should pass through unchanged.
+        assert_eq!(
+            sanitize_ldap_string("normal error text"),
+            "normal error text"
+        );
+        assert_eq!(sanitize_ldap_string("ünïcödé"), "ünïcödé");
+    }
+}

crates/defguard_core/src/enterprise/ldap/model.rs

@@ -7,7 +7,10 @@ use defguard_common::db::{
 use ldap3::{Mod, SearchEntry};
 use sqlx::PgExecutor;
 
-use super::{LDAPConfig, error::LdapError};
+use super::{
+    LDAPConfig,
+    error::{LdapError, sanitize_ldap_string},
+};
 use crate::{handlers::user::check_username, hashset};
 
 pub(crate) enum UserObjectClass {
@@ -45,12 +48,12 @@ pub(crate) fn user_from_searchentry(
     if let Some(rdn) = extract_rdn_value(&entry.dn) {
         user.ldap_rdn = Some(rdn);
     } else {
-        return Err(LdapError::InvalidDN(entry.dn.clone()));
+        return Err(LdapError::InvalidDN(sanitize_ldap_string(&entry.dn)));
     }
     if let Some(dn_path) = extract_dn_path(&entry.dn) {
         user.ldap_user_path = Some(dn_path);
     } else {
-        return Err(LdapError::InvalidDN(entry.dn.clone()));
+        return Err(LdapError::InvalidDN(sanitize_ldap_string(&entry.dn)));
     }
     // Print the warning only if everything else checks out
     if check_username(username).is_err() {