From 344865884bfcaa694d56ad2dde556b376dd449b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= Date: Wed, 19 May 2021 15:44:41 +0000 Subject: [PATCH] fix: groupCreate: deny groups starting with 'key' Mitigates #178 --- bin/plugin/restricted/groupCreate | 8 ++++++++ tests/functional/tests.d/350-groups.sh | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/bin/plugin/restricted/groupCreate b/bin/plugin/restricted/groupCreate index c023fc6..125cd96 100755 --- a/bin/plugin/restricted/groupCreate +++ b/bin/plugin/restricted/groupCreate @@ -83,6 +83,14 @@ if (!$group || !$owner) { osh_exit 'ERR_MISSING_PARAMETER', "Group name or owner is missing"; } +# first, check that the name doesn't start with 'key' (see https://github.com/ovh/the-bastion/issues/178) +# as the is_valid_group() internally automatically guesses whether the input is from a user (in that case +# the $group is a bastion group name) or some other part of the code (in that case the $group might be +# the name of the OS group mapped to the bastion group name, hence starting with 'key') +if ($group =~ /^key/) { + osh_exit 'ERR_INVALID_PARAMETER', "The group name can't start with 'key' (reserved prefix)"; +} + if ($algo && !$size && lc($algo) eq 'ed25519') { $size = 256; # ed25519 size is always 256 } diff --git a/tests/functional/tests.d/350-groups.sh b/tests/functional/tests.d/350-groups.sh index 00b8519..233c50d 100644 --- a/tests/functional/tests.d/350-groups.sh +++ b/tests/functional/tests.d/350-groups.sh @@ -92,6 +92,12 @@ testsuite_groups() contain "minimum configured key size" json .command groupCreate .error_code KO_KEY_SIZE_TOO_SMALL .value null + plgfail groupCreate a0_fail_create_group_reserved_1 $a0 --osh groupCreate --group key --no-key --owner $account1 + json .command groupCreate .error_code ERR_INVALID_PARAMETER + + plgfail groupCreate a0_fail_create_group_reserved_2 $a0 --osh groupCreate --group keytothegate --no-key --owner $account1 + json .command groupCreate .error_code ERR_INVALID_PARAMETER + success groupCreate a0_create_g1_with_a1_as_owner $a0 --osh groupCreate --group $group1 --algo rsa --size 4096 --owner $account1 contain "The public key of this group is" json $(cat <