kallithea Changeset - 155c52d8f210

Changeset - 155c52d8f210

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Mads Kiilerich - 6 years ago 2019-12-29 15:31:25
mads@kiilerich.com

Grafted from: 9b628fbec144

ssh: extra paranoid check for authorized_keys lines having safe content

1 file changed with 14 insertions and 0 deletions:

kallithea/lib/ssh.py

0 comments (0 inline, 0 general)

kallithea/lib/ssh.py

➞

Show inline comments

@@ @@ -94,12 +94,24 @@ def parse_pub_key(ssh_key): @@
     return keytype, decoded, comment
 SSH_OPTIONS = 'no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding'
 def _safe_check(s, rec = re.compile('^[a-zA-Z0-9+/]+={0,2}$')):
     """Return true if s really has the right content for base64 encoding and only contains safe characters
     >>> _safe_check('asdf')
     True
     >>> _safe_check('as df')
     False
     >>> _safe_check('AAAAB3NzaC1yc2EAAAALVGhpcyBpcyBmYWtlIQ==')
     True
     """
     return rec.match(s) is not None
 def authorized_keys_line(kallithea_cli_path, config_file, key):
     """
     Return a line as it would appear in .authorized_keys
     >>> from kallithea.model.db import UserSshKeys, User
     >>> user = User(user_id=7, username='uu')
@@ @@ -110,10 +122,12 @@ def authorized_keys_line(kallithea_cli_p @@
     """
     try:
         keytype, decoded, comment = parse_pub_key(key.public_key)
     except SshKeyParseError:
         return '# Invalid Kallithea SSH key: %s %s\n' % (key.user.user_id, key.user_ssh_key_id)
     mimekey = decoded.encode('base64').replace('\n', '')
     if not _safe_check(mimekey):
         return '# Invalid Kallithea SSH key - bad base64 encoding: %s %s\n' % (key.user.user_id, key.user_ssh_key_id)
     return '%s,command="%s ssh-serve -c %s %s %s" %s %s\n' % (
         SSH_OPTIONS, kallithea_cli_path, config_file,
         key.user.user_id, key.user_ssh_key_id,
         keytype, mimekey)

0 comments (0 inline, 0 general)