Ldap Injection in Gin with Firestore

Ldap Injection occurs when untrusted input is concatenated into an LDAP query without validation or escaping, allowing an attacker to manipulate the query structure. In a Gin application that uses Firestore as a backend data store, this typically happens when Firestore documents contain LDAP-related configuration or when Firestore is used to store user-supplied identifiers that are later passed to an LDAP client. Because Firestore itself does not execute LDAP queries, the injection arises at the application layer where Gin handlers build LDAP filter strings using values read from Firestore or supplied via HTTP request parameters.

Consider a Gin handler that retrieves a user’s organizational unit (OU) from Firestore and then builds an LDAP filter to search for group membership. If the Firestore document stores an OU value like Engineering and the handler directly interpolates user input into the filter, an attacker could supply Engineering)(objectClass=*) to change the query logic. Because Gin does not automatically sanitize inputs and Firestore does not validate LDAP syntax, the resulting filter becomes:

(&(objectClass=group)(memberOf=Engineering)(objectClass=*))

An attacker could instead supply Engineering))(&(objectClass=*), producing:

(&(objectClass=group)(memberOf=Engineering))(&(objectClass=*))

This may bypass intended access controls and return groups the user should not see. In configurations where Firestore stores service account credentials or LDAP base DNs, improper handling of user input can lead to more severe outcomes such as unauthorized directory enumeration. The risk is compounded when the same handler is used in unauthenticated endpoints, as middleBrick’s unauthenticated scan would flag this as an authentication bypass vector. Because Firestore is often treated as a trusted backend, developers may overlook the need to treat data from Firestore the same as any other input source.

The 12 parallel security checks in middleBrick would highlight this as an Authorization and Input Validation finding, emphasizing that data from Firestore must be validated and escaped before use in LDAP filters. This scenario aligns with patterns seen in CVE-type issues where directory traversal or privilege escalation occurs due to insufficient input sanitization.

To prevent Ldap Injection when using Gin with Firestore, treat all Firestore field values as untrusted when building LDAP queries. Use parameterized or precompiled LDAP filters where possible, and apply strict allow-listing validation on any Firestore-derived strings that participate in LDAP syntax.

Below is a secure Gin handler that retrieves a user’s OU from Firestore and constructs a safe LDAP filter. It uses ldap.EscapeFilter to escape special characters and validates the OU against a regular expression that permits only alphanumeric characters and a limited set of safe symbols.

package main

import (
    "context"
    "net/http"
    "regexp"

    "cloud.google.com/go/firestore"
    "github.com/gin-gonic/gin"
    "github.com/go-ldap/ldap/v3"
    "google.golang.org/api/iterator"
)

// safeOUName allows only letters, digits, hyphens, and underscores.
var ouRE = regexp.MustCompile(`^[a-zA-Z0-9_-]+$`)

func getGroupsHandler(client *ldap.Conn, fsClient *firestore.Client) gin.HandlerFunc {
    return func(c *gin.Context) {
        userID := c.Param("userID")
        if userID == "" {
            c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "missing userID"})
            return
        }

        // Retrieve OU from Firestore
        ctx := context.Background()
        docSnap, err := fsClient.Collection("users").Doc(userID).Get(ctx)
        if err != nil || !docSnap.Exists() {
            c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"error": "user not found"})
            return
        }
        ouI, ok := docSnap.Data()["ou"]
        if !ok {
            c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "ou field missing"})
            return
        }
        ou, ok := ouI.(string)
        if !ok || !ouRE.MatchString(ou) {
            c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "invalid ou value"})
            return
        }

        // Build LDAP filter safely
        escapedOU := ldap.EscapeFilter(ou)
        filter := ldap.BuildFilter("(memberOf=OU=%s,DC=example,DC=com)", escapedOU)

        // Execute search (example)
        searchReq := ldap.NewSearchRequest(
            "DC=example,DC=com",
            ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
            filter,
            []string{"cn"},
            nil,
        )
        sr, err := client.Search(searchReq)
        if err != nil {
            c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "ldap error"})
            return
        }
        c.JSON(http.StatusOK, gin.H{"groups": sr.Entries})
    }
}

Key points:

• ldap.EscapeFilter neutralizes characters that carry LDAP syntax meaning (e.g., parentheses, asterisks).
• Allow-listing via ouRE ensures only expected characters reach the LDAP layer, mitigating injection even if escaping is bypassed.
• Firestore reads are treated as an input source; validation occurs before use in LDAP construction.

For API scanning, middleBrick’s CLI can be used to verify that the endpoint no longer exposes injection-prone behavior: middlebrick scan https://your-api.example.com/users/{userID}. In the Pro plan, continuous monitoring can alert if new endpoints introduce similar patterns, and the GitHub Action can fail builds when risk scores degrade.