Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No input validation for garbage entry on tps-token-add cli #3295

Open
pki-bot opened this issue Oct 3, 2020 · 1 comment
Open

No input validation for garbage entry on tps-token-add cli #3295

pki-bot opened this issue Oct 3, 2020 · 1 comment

Comments

@pki-bot
Copy link

pki-bot commented Oct 3, 2020

This issue was migrated from Pagure Issue #3178. Originally filed by dmoluguw (@SilleBille) on 2020-06-09 15:12:41:

Description of problem:

No input validation for garbage entry on tps-token-add cli

Version-Release number of selected component (if applicable):

# rpm -qi pki-tps
Name        : pki-tps
Version     : 10.8.3
Release     : 1.module+el8pki+5935+02cf7b8d
Architecture: x86_64
Install Date: Friday 29 May 2020 06:10:18 AM EDT
Group       : Unspecified
Size        : 1852713
License     : GPLv2 and LGPLv2
Signature   : RSA/SHA256, Wednesday 04 March 2020 12:35:59 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-extras-10.8.3-1.module+el8pki+5935+02cf7b8d.src.rpm

How reproducible:

Always

Steps to Reproduce:

1. Install CA and there subsystem
2.
# pki -p 25443 -d nssdb/ -c SECret.123 -n "PKI TPS Administrator for Example.Org" tps-token-add "A#$!#@$!@$$%@#$%$#@%$#@%" 
-----------------------------------
Added token "A##@@39766%@#$%0@%0@%"
-----------------------------------
  Token ID: A##@@39766%@#$%0@%0@%
  Status: UNFORMATTED
  Next States: DAMAGED, PERM_LOST
  Date Created: Wed Jun 03 02:55:28 EDT 2020

Debug log :
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: Authenticating certificate chain:
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: - CN=PKI Administrator, EMAILADDRESS=tpsadmin@example.com, OU=topology-02-TPS, O=topology-02_Foobarmaster.org
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: CertUserDBAuthentication: UID tpsadmin authenticated.
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: User ID: tpsadmin
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: UGSubsystem: retrieving user uid=tpsadmin,ou=People,o=topology-02-TPS-TPS
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: User DN: uid=tpsadmin,ou=People,o=topology-02-TPS-TPS
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: Roles:
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: - TPS Agents
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: - Administrators
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: - TPS Operators
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: AAclAuthz: Granting login permission for certServer.tps.account
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: Creating session 5EBCEEA2E3FD4301E1DEFAEF47D83FE4
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: Principal:
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: - ID: tpsadmin
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: - Full Name: tpsadmin
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: - Email: tpsadmin@example.com
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO: - Roles:
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO:   - Administrators
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO:   - TPS Agents
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-2] INFO:   - TPS Operators
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-3] INFO: UGSubsystem: retrieving user uid=tpsadmin,ou=People,o=topology-02-TPS-TPS
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-3] INFO: AAclAuthz: Granting add permission for certServer.tps.tokens
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-4] INFO: AAclAuthz: Granting logout permission for certServer.tps.account
2020-06-03 02:58:10 [https-jsse-nio-25443-exec-4] INFO: Destroying session 5EBCEEA2E3FD4301E1DEFAEF47D83FE4

Actual results:

tps-token-add cli accept all the garbage entry

Expected results:

There should be a filter for garbage input value

Additional info:
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from dmoluguw (@SilleBille) at 2020-06-09 15:14:40

Metadata Update from @SilleBille:

  • Custom field component adjusted to None
  • Custom field feature adjusted to None
  • Custom field origin adjusted to None
  • Custom field proposedmilestone adjusted to None
  • Custom field proposedpriority adjusted to None
  • Custom field reviewer adjusted to None
  • Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1843428
  • Custom field type adjusted to None
  • Custom field version adjusted to None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pki-bot