Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[plugins] make pem certificate regexp stricter #3631

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[plugins] make pem certificate regexp stricter #3631

wants to merge 1 commit into from

Conversation

champtar
Copy link
Contributor

@champtar champtar commented Apr 30, 2024
edited

This allow to apply do_*_private_sub() without fearing false positive.
Going through RFCs, PEM and OpenPGP use -----BEGIN, and only RFC4716
has a sligtly different syntax ---- BEGIN SSH2 PUBLIC KEY ----.

Please place an 'X' inside each '[]' to confirm you adhere to our Contributor Guidelines

  • Is the commit message split over multiple lines and hard-wrapped at 72 characters?
  • Is the subject and message clear and concise?
  • Does the subject start with [plugin_name] if submitting a plugin patch or a [section_name] if part of the core sosreport code?
  • Does the commit contain a Signed-off-by: First Lastname email@example.com?
  • Are any related Issues or existing PRs properly referenced via a Closes (Issue) or Resolved (PR) line?
  • Are all passwords or private data gathered by this PR obfuscated?

@packit-as-a-service Packit-as-a-Service
Copy link

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

  • sudo yum install -y dnf-plugins-core on RHEL 8
  • sudo dnf install -y dnf-plugins-core on Fedora
  • dnf copr enable packit/sosreport-sos-3631
  • And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

@champtar
Copy link
Contributor Author

Actually SSH keys syntax is a bit different: ---- BEGIN SSH2 (4 - and a space instead of 5 -)

@champtar champtar marked this pull request as draft April 30, 2024 15:50
@champtar champtar marked this pull request as ready for review April 30, 2024 17:55
@champtar
Copy link
Contributor Author

Actually SSH keys syntax is a bit different: ---- BEGIN SSH2 (4 - and a space instead of 5 -)

False alarm, greping through RFCs, it's only for ---- BEGIN SSH2 PUBLIC KEY ---- (RFC4716) which should be pretty rare and is a public key anyway

@TurboTurtle
Copy link
Member

Well, we do actually care about those. And the change was made to account for different counts of - characters. I'm not sure how reverting that actually benefits us, or if there is an active issue with our currently handling of these kinds of blocks due to allowing any number of - characters in the header.

@champtar
Copy link
Contributor Author

Right now this match even without any '-', and the RFCs are extremely strict, it's 5 '-', not a variable number, do you have an exemple of cert that we would not scrub anymore ?

My idea was to make the match more precise, and then in a follow up PR make it run by default for all plugins under some conditions (with possibility to opt out).
That would avoid leaks like the kubernetes plugin.

I'll fix this PR in a bit.

@champtar
[plugins] make pem certificate regexp stricter
f5d28d0 
This allow to apply do_*_private_sub() without fearing false positive.
Going through RFCs, PEM and OpenPGP use `-----BEGIN`, and only RFC4716
has a sligtly different syntax `---- BEGIN SSH2 PUBLIC KEY ----`.

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
@champtar
Copy link
Contributor Author

Updated to match SSH2 public key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@champtar @TurboTurtle