Defense in depth for authorized_keys lines

author: Jacob Vosmaer <jacob@gitlab.com> 2016-08-05 12:41:06 +0200
committer: Jacob Vosmaer <jacob@gitlab.com> 2016-08-05 12:41:06 +0200
commit: ae21774c1f6a09ea5029194c66d229aeba1d22d6 (patch)
tree: 6a8615c5b67b7b20590d16e6cffe7f172a3e1214 /lib/gitlab_keys.rb
parent: 7837894a8a740f8ed9a4884fa7faee566eb9b6c2 (diff)
download: gitlab-shell-ae21774c1f6a09ea5029194c66d229aeba1d22d6.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/lib/gitlab_keys.rb b/lib/gitlab_keys.rb
index dc654fd..4034a86 100644
--- a/lib/gitlab_keys.rb
+++ b/lib/gitlab_keys.rb
@@ -4,13 +4,18 @@ require_relative 'gitlab_config'
 require_relative 'gitlab_logger'
 
 class GitlabKeys
+  class KeyError < StandardError ; end
+
   attr_accessor :auth_file, :key
 
   def self.command(key_id)
+    raise KeyError.new("Invalid key_id: #{key_id.inspect}") unless /\A[a-z0-9-]+\z/.match(key_id)
     "#{ROOT_PATH}/bin/gitlab-shell #{key_id}"
   end
 
   def self.key_line(key_id, public_key)
+    public_key.chomp!
+    raise KeyError.new("Invalid public_key: #{public_key.inspect}") if public_key.include?("\n")
     "command=\"#{command(key_id)}\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty #{public_key}"
   end
author	Jacob Vosmaer <jacob@gitlab.com>	2016-08-05 12:41:06 +0200
committer	Jacob Vosmaer <jacob@gitlab.com>	2016-08-05 12:41:06 +0200
commit	ae21774c1f6a09ea5029194c66d229aeba1d22d6 (patch)
tree	6a8615c5b67b7b20590d16e6cffe7f172a3e1214 /lib/gitlab_keys.rb
parent	7837894a8a740f8ed9a4884fa7faee566eb9b6c2 (diff)
download	gitlab-shell-ae21774c1f6a09ea5029194c66d229aeba1d22d6.tar.gz