CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
new file mode 100644 (file)
index 0000000..9367f92
--- /dev/null
+++ b/selftest/knownfail.d/dirsync
@@ -0,0 +1 @@
+^samba4.ldap.dirsync.python\(.*\).__main__.SimpleDirsyncTests.test_dirsync_unicodePwd
\ No newline at end of file

diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py
index e06b85bc749fdd4e03c009114a17558a4e8965b0..2cacaf01251a7de7a9fa2611f05a0c842e35f780 100755 (executable)
--- a/source4/dsdb/tests/python/dirsync.py
+++ b/source4/dsdb/tests/python/dirsync.py
@@ -742,6 +742,18 @@ class SimpleDirsyncTests(DirsyncBaseTests):
         self.assertEqual(guid2, guid)
         self.assertEqual(str(res[0].dn), "")
 
+    def test_dirsync_unicodePwd(self):
+        res = self.ldb_admin.search(self.base_dn,
+                                    attrs=["unicodePwd", "supplementalCredentials", "samAccountName"],
+                                    expression="(samAccountName=krbtgt)",
+                                    controls=["dirsync:1:0:0"])
+
+        self.assertTrue(len(res) == 1)
+        # This form ensures this is a case insensitive comparison
+        self.assertTrue("samAccountName" in res[0])
+        self.assertTrue(res[0].get("samAccountName"))
+        self.assertTrue(res[0].get("unicodePwd") is None)
+        self.assertTrue(res[0].get("supplementalCredentials") is None)
 
 if not getattr(opts, "listtests", False):
     lp = sambaopts.get_loadparm()