diff --git a/.github/workflows/codacy-analysis.yml b/.github/workflows/codacy-analysis.yml new file mode 100644 index 000000000..bbc5bc09d --- /dev/null +++ b/.github/workflows/codacy-analysis.yml @@ -0,0 +1,49 @@ +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '36 23 * * 3' + +jobs: + codacy-security-scan: + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v2 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@1.1.0 + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..dcbfd3e6f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,27 @@ +# Security Policy + +We take security issues very seriously, and will always attempt to address any +vulnerabilities as quickly as possible. + +## Supported Versions + +We try to make a reasonable effort to support older versions of Snipe-IT, +however there are times when library dependencies and/or PHP/MySQL dependencies +make it impossible to backport security fixes on older versions. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Security vulnerabilities should be sent to security@snipeitapp.com. You can typically expect a +response within two business days, and we typically have fixes out in under a week from the initial disclosure. + +This obviously varies based on the severity of the security issue and the difficulty in remediation, +but those have historically been the timelines we worm around. + +For a full breakdown of our security policies, please see https://snipeitapp.com/security. diff --git a/app/Models/Ldap.php b/app/Models/Ldap.php index 9de8ca0cd..f06da9058 100644 --- a/app/Models/Ldap.php +++ b/app/Models/Ldap.php @@ -93,8 +93,12 @@ class Ldap extends Model \Log::debug('Attempting to login using distinguished name:'.$userDn); - + $filterQuery = $settings->ldap_auth_filter_query . $username; + $filter = Setting::getSettings()->ldap_filter; + $filterQuery = "({$filter}({$filterQuery}))"; + + \Log::debug('Filter query: '.$filterQuery); if (!$ldapbind = @ldap_bind($connection, $userDn, $password)) {