Ensure error messages don't leak private key #11523
Conversation
| @@ -14,6 +14,9 @@ private: | |||
| const std::string host; | |||
| bool fakeSSH; | |||
| const std::string keyFile; | |||
| /** | |||
| * Raw bytes, not Base64 encoding. | |||
| */ | |||
| const std::string sshPublicHostKey; | |||
There was a problem hiding this comment.
If it's raw bytes, then should it really still be std::string and not something like std::vector<u8> or something?
There was a problem hiding this comment.
Probably, but doing that better would require more changes (because we use std::string in a few places for this) so I think it's best we keep it future work.
There was a problem hiding this comment.
I always felt that c++ string is just the same as a std::vector in other languages.
src/libutil/util.hh
Outdated
| std::string base64Encode(std::string_view s); | ||
| std::string base64Decode(std::string_view s); | ||
|
|
||
| /** | ||
| * Decode arbitrary bytes to Base64. | ||
| * | ||
| * @param hideValue Avoid displaying the raw Base64 in error messages, | ||
| * e.g. to avoid leaking private keys. | ||
| */ | ||
| std::string base64Decode(std::string_view s, bool hideValue = false); |
There was a problem hiding this comment.
@cole-h e.g. these type signatures (strings on both sides) are also not instructive
Mic92
added
backport 2.18-maintenance
src/libutil/util.cc
Outdated
| @@ -220,7 +220,7 @@ std::string base64Encode(std::string_view s) | |||
| } | |||
|
|
|||
|
|
|||
| std::string base64Decode(std::string_view s) | |||
| std::string base64Decode(std::string_view s, bool hideValue) | |||
There was a problem hiding this comment.
is it normal in c++ that the default value only needs to be set in the prototype but not here?
There was a problem hiding this comment.
Yes. I think it will in fact not let you put it in both places.
src/libutil/util.hh
Outdated
| * @param hideValue Avoid displaying the raw Base64 in error messages, | ||
| * e.g. to avoid leaking private keys. | ||
| */ | ||
| std::string base64Decode(std::string_view s, bool hideValue = false); |
There was a problem hiding this comment.
Not a strong opinion but to me this seems more intuitive:
| std::string base64Decode(std::string_view s, bool hideValue = false); | |
| std::string base64Decode(std::string_view s, bool sensitiveValue = false); |
Since NixOS#8766, invalid base64 is rendered in errors, but we don't actually want to show this in the case of an invalid private keys.
Ericson2314
force-pushed
the
base64Decode-no-leak-private-key-on-error
branch
from
18f855c
to
d8b3626
Compare
| try { | ||
| base64Decode(msg, true); | ||
| } catch (FormatError & e) { | ||
| EXPECT_THAT(e.msg(), testing::Not(testing::HasSubstr(msg))); |
There was a problem hiding this comment.
| EXPECT_THAT(e.msg(), testing::Not(testing::HasSubstr(msg))); | |
| EXPECT_THAT(e.msg(), testing::Not(testing::HasSubstr(msg))); | |
| EXPECT_THAT(e.what(), testing::Not(testing::HasSubstr(msg))); |
There was a problem hiding this comment.
This is still not future proof; please also add a functional test, which will cover the eventuality that yet another method is used for retrieving the message (e.g. something more structured than a string).
| * @param sensitiveValue Avoid displaying the raw Base64 in error messages, | ||
| * e.g. to avoid leaking private keys. | ||
| */ | ||
| std::string base64Decode(std::string_view s, bool sensitiveValue = false); |
There was a problem hiding this comment.
| std::string base64Decode(std::string_view s, bool sensitiveValue = false); | |
| std::string base64Decode(std::string_view s, bool sensitiveValue); |
Each caller should just make a decision.
Or, if we disagree, it should fail safely:
| std::string base64Decode(std::string_view s, bool sensitiveValue = false); | |
| std::string base64Decode(std::string_view s, bool sensitiveValue = true); |
|
Add release blocker label because this fixes a minor security regression that's not been released yet. |
Motivation
Since #8766, invalid base64 is rendered in errors, but we don't actually want to show this in the case of an invalid private keys.
Context
#8766
Priorities and Process
Add 👍 to pull requests you find important.
The Nix maintainer team uses a GitHub project board to schedule and track reviews.