Vulnerability in users_ldap_groups allows arbitrary LDAP queries via JSON RPC API

[oh2fih]

Module

users_ldap_groups

Describe the bug

Model res.company.ldap.operator operators should be private methods; public methods allow arbitrary LDAP queries via JSON RPC API.

To Reproduce

Affected versions: all

Steps to reproduce the behavior:

Send POST /web/dataset/call_kw/res.company.ldap.operator/query HTTP/1.1, e.g., with data {"id":5,"jsonrpc":"1.0","method":"call","params":{"model":"res.company.ldap.operator","method":"query","args":["","",""],"kwargs":{}}}

Expected behavior
Methods should not be available via JSON RPC API but only from other Python classes.

Additional context
See https://www.odoo.com/documentation/17.0/developer/reference/backend/security.html#unsafe-public-methods

Attempted fix
A possible fix for this vulnerability is now in #659 (62d064f).

[oh2fih]

This project seems to be maintained with inadequate resources. Could @gurneyalex as the OCA Representative of this project take a look at this vulnerability and the fix in #596. This has now been publicly available for three months. Thanks!

[rvalyi]

Hello, I just approved and commented on your PR.