VladPolskiy/postgres-web
1
0
Fork 0
mirror of https://github.com/postgres/pgweb.git synced 2025-08-13 13:12:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Validate ssh keys as they are entered in the profile

Browse Source 
In particular, reject ssh-dss keys here. They don't work anymore since
an upgrade, for security reasons, but there was not really a way for the
user to know why. With this they will at least know if when they try to
save or change the keys.
This commit is contained in:
Magnus Hagander
2018-03-09 15:14:32 -05:00
parent 7576a97108
commit b1aa5e1f21
1 changed files with 24 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
pgweb/core/models.py
View File

@ -1,7 +1,10 @@
from django.db import models from django.db import models
from django.core.validators import ValidationError
from django.contrib.auth.models import User from django.contrib.auth.models import User
from pgweb.util.misc import varnish_purge from pgweb.util.misc import varnish_purge
import base64
TESTING_CHOICES = ( TESTING_CHOICES = (
(0, 'Release'), (0, 'Release'),
(1, 'Release candidate'), (1, 'Release candidate'),
@ -162,10 +165,30 @@ class ImportedRSSItem(models.Model):
return self.posttime.strftime("%Y-%m-%d") return self.posttime.strftime("%Y-%m-%d")
# From man sshd, except for ssh-dss
_valid_keytypes = ['ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519', 'ssh-rsa']
# Options, keytype, key, comment. But we don't support options.
def validate_sshkey(key):
lines = key.splitlines()
for k in lines:
pieces = k.split()
if len(pieces) == 0:
raise ValidationError("Empty keys are not allowed")
if len(pieces) > 3:
raise ValidationError('Paste each ssh key without options, e.g. "ssh-rsa AAAAbbbcc mykey@machine"')
if pieces[0] == 'ssh-dss':
raise ValidationError("For security reasons, ssh-dss keys are not supported")
if pieces[0] not in _valid_keytypes:
raise ValidationError("Only keys of types {0} are supported, not {1}.".format(", ".join(_valid_keytypes), pieces[0]))
try:
base64.b64decode(pieces[1])
except:
raise ValidationError("Incorrect base64 encoded key!")
# Extra attributes for users (if they have them) # Extra attributes for users (if they have them)
class UserProfile(models.Model): class UserProfile(models.Model):
user = models.OneToOneField(User, null=False, blank=False, primary_key=True) user = models.OneToOneField(User, null=False, blank=False, primary_key=True)
sshkey = models.TextField(null=False, blank=True, verbose_name="SSH key", help_text= "Paste one or more public keys in OpenSSH format, one per line.") sshkey = models.TextField(null=False, blank=True, verbose_name="SSH key", help_text= "Paste one or more public keys in OpenSSH format, one per line.", validators=[validate_sshkey, ])
lastmodified = models.DateTimeField(null=False, blank=False, auto_now=True) lastmodified = models.DateTimeField(null=False, blank=False, auto_now=True)
# Notifications sent for any moderated content. # Notifications sent for any moderated content.