From 62ecf23c2c828440ac77eeb7ba1b9fe4eb250543 Mon Sep 17 00:00:00 2001
From: Vinny Mannello <94396874+VinnyHC@users.noreply.github.com>
Date: Wed, 15 Dec 2021 13:17:07 -0800
Subject: [PATCH] EscapeLDAPValue - catch trailing escape character  (#13452)

* [VAULT-4018] - EscapeLDAPValue catch trailing escape character
---
 changelog/13452.txt                | 3 +++
 sdk/helper/ldaputil/client.go      | 2 +-
 sdk/helper/ldaputil/client_test.go | 3 +++
 3 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 changelog/13452.txt

diff --git a/changelog/13452.txt b/changelog/13452.txt
new file mode 100644
index 000000000..617723046
--- /dev/null
+++ b/changelog/13452.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+sdk/helper/ldaputil: properly escape a trailing escape character to prevent panics.
+```
\ No newline at end of file
diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go
index 2c3a17fb9..329e69ecc 100644
--- a/sdk/helper/ldaputil/client.go
+++ b/sdk/helper/ldaputil/client.go
@@ -512,7 +512,7 @@ func EscapeLDAPValue(input string) string {
 	// - null
 	for i := 0; i < len(input); i++ {
 		escaped := false
-		if input[i] == '\\' {
+		if input[i] == '\\' && i+1 < len(input)-1 {
 			i++
 			escaped = true
 		}
diff --git a/sdk/helper/ldaputil/client_test.go b/sdk/helper/ldaputil/client_test.go
index f81294ffc..c9ae9cd4b 100644
--- a/sdk/helper/ldaputil/client_test.go
+++ b/sdk/helper/ldaputil/client_test.go
@@ -32,6 +32,9 @@ func TestLDAPEscape(t *testing.T) {
 		"test\\hello": "test\\\\hello",
 		"  test  ":    "\\  test \\ ",
 		"":            "",
+		"\\test":      "\\\\test",
+		"test\\":      "test\\\\",
+		"test\\ ":     "test\\\\\\ ",
 	}
 
 	for test, answer := range testcases {