feat(ldapauth): sanitize input for group search filter

lib/ldapauth.js

@@ -52,6 +52,25 @@ var getOption = function(obj, keys) {
   return undefined;
 };
 
+/**
+ * Sanitize LDAP special characters from input
+ *
+ * {@link https://tools.ietf.org/search/rfc4515#section-3}
+ *
+ * @private
+ * @param {string} input - String to sanitize
+ * @returns {string} Sanitized string
+ */
+var sanitizeInput = function(input) {
+  return input
+    .replace(/\*/g, '\\2a')
+    .replace(/\(/g, '\\28')
+    .replace(/\)/g, '\\29')
+    .replace(/\\/g, '\\5c')
+    .replace(/\0/g, '\\00')
+    .replace(/\//g, '\\2f');
+};
+
 /**
  * Create an LDAP auth class. Primary usage is the `.authenticate` method.
  *
@@ -139,8 +158,8 @@ function LdapAuth(opts) {
       var groupSearchFilter = opts.groupSearchFilter;
       opts.groupSearchFilter = function(user) {
         return groupSearchFilter
-          .replace(/{{dn}}/g, user[opts.groupDnProperty])
-          .replace(/{{username}}/g, user.uid);
+          .replace(/{{dn}}/g, sanitizeInput(user[opts.groupDnProperty] || ''))
+          .replace(/{{username}}/g, sanitizeInput(user.uid || ''));
       };
     }
 
@@ -284,25 +303,6 @@ LdapAuth.prototype._search = function(searchBase, options, callback) {
   });
 };
 
-/**
- * Sanitize LDAP special characters from input
- *
- * {@link https://tools.ietf.org/search/rfc4515#section-3}
- *
- * @private
- * @param {string} input - String to sanitize
- * @returns {string} Sanitized string
- */
-var sanitizeInput = function(input) {
-  return input
-    .replace(/\*/g, '\\2a')
-    .replace(/\(/g, '\\28')
-    .replace(/\)/g, '\\29')
-    .replace(/\\/g, '\\5c')
-    .replace(/\0/g, '\\00')
-    .replace(/\//g, '\\2f');
-};
-
 /**
  * Find the user record for the given username.
  *