feat(acl) Add a hard limit of 100 targets matched for an ACL target filter

This avoids performanance problems and RAM exhaustion.

issue #5531

include/class_userinfo.inc

@@ -137,6 +137,7 @@ class userinfo
     $this->reset_acl_cache();
     $ldap = $config->get_ldap_link();
     $ldap->cd($config->current['BASE']);
+    $targetFilterLimit  = 100;
 
     /* Get member groups... */
     $ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']);
@@ -229,12 +230,24 @@ class userinfo
 
         if (!empty($ACLRule['targetfilter'])) {
           $ldap->cd($dn);
+          $ldap->set_size_limit($targetFilterLimit);
           $targetFilter = templateHandling::parseString($ACLRule['targetfilter'], $this->cachedAttrs, 'ldap_escape_f');
           $ldap->search($targetFilter, ['dn']);
+          if ($ldap->hitSizeLimit()) {
+            msg_dialog::display(
+              _('Error'),
+              sprintf(
+                _('An ACL assignment for the connected user matched more than than the %d objects limit. This user will not have the ACL rights he should.'),
+                $targetFilterLimit
+              ),
+              ERROR_DIALOG
+            );
+          }
           $targetDns = [];
           while ($targetAttrs = $ldap->fetch()) {
             $targetDns[] = $targetAttrs['dn'];
           }
+          $ldap->set_size_limit(0);
         } else {
           $targetDns = [$dn];
         }

[bmortier]

SonarQube analysis reported 1 issue

• 1 major

Note: The following issues were found on lines that were not modified in the commit. Because these issues can't be reported as line comments, they are summarized here:

1. This function "loadACL" has 158 lines, which is greater than the 150 lines authorized. Split it into smaller functions.

By Ghost User on 2019-10-08T08:24:56 (imported from GitLab)