fix: harden JSON parsing and path handling in PAM extend#1902
Open
jlima8900 wants to merge 9 commits intoKeeper-Security:releasefrom
Open
fix: harden JSON parsing and path handling in PAM extend#1902jlima8900 wants to merge 9 commits intoKeeper-Security:releasefrom
jlima8900 wants to merge 9 commits intoKeeper-Security:releasefrom
Conversation
jlima8900
force-pushed
the
fix/pam-extend-security-hardening
branch
from
da97c23 to
a3e9f59
Compare
Contributor
Author
|
@aaunario — ready for review. NUL byte stripping, specific exception handlers, path canonicalization. |
jlima8900
force-pushed
the
fix/pam-extend-security-hardening
branch
from
6d9359a to
b6360e1
Compare
* Added full terminal reset after ssh session exit (clears scrollback etc.) * Fixes randomly eaten first characters typed after ssh session exit (stdin race condition) * Fixed random duplicate typed characters (echo)
Keeper-Security#1908) - Added `move` to the list of `apply-action` choices, which will move all returned users to a node - specified with `target-node` - Added `all` to the list of `status` choices, returning invited, active and locked users with `d=0` - Fixed an issue where the users updated with `apply-action` are not the same as those filtered with the `node` argument. - Fixed a potential unwanted behavior where the `node` argument returns a recursive node and subnodes search, preventing you from applying actions to a specific node if it has subnodes. By default, using the `node` argument will only return result from the specified node. - Added a `recursive` argument to replicate the old behavior with `node` filter.
- Split combined except clause into separate JSONDecodeError and UnicodeDecodeError handlers with targeted error messages - Remove redundant PermissionError (subclass of OSError) - Add empty-path guard after NUL byte stripping - Add comment explaining realpath for symlink resolution
jlima8900
force-pushed
the
fix/pam-extend-security-hardening
branch
from
b6360e1 to
58c9592
Compare
sk-keeper
force-pushed
the
release
branch
3 times, most recently
from
442d7af to
9ec9b7a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens JSON parsing and path handling in
keepercommander/commands/pam_import/extend.py.Changes
excepton JSON parse withJSONDecodeError,ValueError,KeyErroros.path.realpathto prevent symlink traversalTests