Files
@ 12824a48192d
Branch filter:
Location: kallithea/scripts/validate-commits - annotation
12824a48192d
1.7 KiB
text/plain
ssh: verify SSH keys haven't been truncated
Ed Wong reported problems with a SSH key that accidentally was copy-pasted with
extra newlines. This truncation wasn't detected, so the truncated key was added
to authorized_keys where it obviously didn't work for sshd.
The base64 decoding would sometimes catch truncated keys - but not always. We
seem to have to look inside the key, parse it according to the RFCs, and verify
they contain the right amount of data for the key type.
It is an additional burden to have to parse SSH key internals just to validate
them. We could consider using some external method for validation. But the
explicit validation introduced here might be more spot-on for our needs.
Ed Wong reported problems with a SSH key that accidentally was copy-pasted with
extra newlines. This truncation wasn't detected, so the truncated key was added
to authorized_keys where it obviously didn't work for sshd.
The base64 decoding would sometimes catch truncated keys - but not always. We
seem to have to look inside the key, parse it according to the RFCs, and verify
they contain the right amount of data for the key type.
It is an additional burden to have to parse SSH key internals just to validate
them. We could consider using some external method for validation. But the
explicit validation introduced here might be more spot-on for our needs.
37ac2ac0a9ae 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 68861940ee1e 68861940ee1e 68861940ee1e 68861940ee1e 68861940ee1e 68861940ee1e 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 68861940ee1e 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 89e9aef9b983 69f70de15f26 69f70de15f26 d9e37f7fd35b 69f70de15f26 69f70de15f26 bf85e6018daa bf85e6018daa 69f70de15f26 69f70de15f26 bf85e6018daa bf85e6018daa bf85e6018daa bf85e6018daa bf85e6018daa bf85e6018daa bf85e6018daa bf85e6018daa 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 | #!/bin/bash
# Validate the specified commits against test suite and other checks.
if [ -n "$VIRTUAL_ENV" ]; then
echo "Please run this script from outside a virtualenv."
exit 1
fi
if ! hg update --check -q .; then
echo "Working dir is not clean, please commit/revert changes first."
exit 1
fi
revset=$1
if [ -z "$revset" ]; then
echo "Warning: no revisions specified, checking draft changes up to the current one."
revset='draft() and ancestors(.)'
fi
venv=$(mktemp -d kallithea-validatecommits-env-XXXXXX)
resultfile=$(mktemp kallithea-validatecommits-result-XXXXXX)
echo > "$resultfile"
cleanup()
{
rm -rf /tmp/kallithea-test*
rm -rf "$venv"
}
finish()
{
cleanup
# print (possibly intermediate) results
cat "$resultfile"
rm "$resultfile"
}
trap finish EXIT
for rev in $(hg log -r "$revset" -T '{node}\n'); do
hg log -r "$rev"
hg update "$rev"
cleanup
python3 -m venv "$venv"
source "$venv/bin/activate"
pip install --upgrade pip setuptools
pip install -e . -r dev_requirements.txt python-ldap python-pam
# run-all-cleanup
if ! scripts/run-all-cleanup ; then
echo "run-all-cleanup encountered errors!"
result="NOK"
else
if ! hg update --check -q .; then
echo "run-all-cleanup did not give clean results!"
result="NOK"
hg diff
hg revert -a
else
result=" OK"
fi
fi
echo "$result: $rev (run-all-cleanup)" >> "$resultfile"
# pytest
if py.test; then
result=" OK"
else
result="NOK"
fi
echo "$result: $rev (pytest)" >> "$resultfile"
deactivate
echo
done
|