From 17175d7d2ef0ca5c527b8e6afdfe8576157f4f1b Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Tue, 18 Nov 2025 15:46:21 +0000 Subject: [PATCH 1/5] fix: add NULL check to adppId --- .../secret-provider-agent/src/secret_provider_agent.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c index b847538..fefa0c0 100644 --- a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c +++ b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c @@ -317,6 +317,11 @@ int main(int argc, char** argv) { LOG_INFO("Selected log level %d", log_level); + if (app_id == NULL) { + LOG_ERROR("App ID is missing"); + return -1; + } + if (sbs_endpoint == NULL) { LOG_ERROR("SBS mode must provide sbsEndpoint argument (--sbsEndpoint/-e)"); return -1; From 84ea09b632d7dc43221df55f3d6ac531c7780037 Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Tue, 18 Nov 2025 16:04:49 +0000 Subject: [PATCH 2/5] fix: add control on ip address and port --- .../src/secret_provider_agent.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c index fefa0c0..5af7e67 100644 --- a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c +++ b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c @@ -330,14 +330,25 @@ int main(int argc, char** argv) { LOG_DEBUG("Config of SBS endpoint is %s", sbs_endpoint); srv_ip = strtok(sbs_endpoint, ":"); + if (srv_ip == NULL) { + LOG_ERROR("sbsEndpoint format error: missing IP address, eg: 127.0.0.1"); + return -1; + }else{ + struct in_addr test_addr; + if (inet_pton(AF_INET, srv_ip, &test_addr) != 1) { + LOG_ERROR("Invalid IP address format: %s", srv_ip); + return -1; + } + } + str_port = strtok(NULL, ":"); - if (NULL == str_port) { - LOG_ERROR("sbsEndpoint format error, eg: 127.0.0.1:5443"); + if (str_port == NULL) { + LOG_ERROR("sbsEndpoint format error: missing port, eg: 5443"); return -1; } port = atoi(str_port); - if (port == 0) { - LOG_ERROR("Port is invalid, got %s", str_port); + if (port <= 0 || port > 65535) { + LOG_ERROR("Port is invalid or out of valid range (1-65535), got %d", port); return -1; } From 8d08c540c2c33f6bd69fea802145a5f235a742a9 Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Wed, 19 Nov 2025 11:20:08 +0000 Subject: [PATCH 3/5] fix: enforce const on immutable values --- .../src/secret_provider_agent.c | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c index 5af7e67..0049bc3 100644 --- a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c +++ b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c @@ -20,7 +20,7 @@ do { \ if (log_level <= rats_level) { \ time_t now = time(NULL); \ - struct tm *t = gmtime(&now); \ + const struct tm *t = gmtime(&now); \ char ts[24]; \ strftime(ts, sizeof(ts), "%Y-%m-%d %H:%M:%S UTC", t); \ printf("%-29s [%-5s] [%s:%d] " fmt "\n", ts, level, __FILE__, __LINE__, ##__VA_ARGS__); \ @@ -44,14 +44,14 @@ rats_tls_log_level_t log_level = RATS_TLS_LOG_LEVEL_INFO; const char* command_get_secret = "getSecret"; char* get_secret_from_sbs_through_rats_tls(rats_tls_log_level_t log_level, - char* attester_type, - char* verifier_type, - char* tls_type, - char* crypto_type, + const char* attester_type, + const char* verifier_type, + const char* tls_type, + const char* crypto_type, bool mutual, char* ip, int port, - char* app_id) { + const char* app_id) { bool validation_error = false; if (attester_type == NULL || strlen(attester_type) >= ENCLAVE_ATTESTER_TYPE_NAME_SIZE) { @@ -243,12 +243,12 @@ int main(int argc, char** argv) { {"help", no_argument, NULL, 'h'}, {0, 0, 0, 0}}; - char* attester_type = ""; - char* verifier_type = ""; - char* tls_type = ""; - char* crypto_type = ""; + const char* attester_type = ""; + const char* verifier_type = ""; + const char* tls_type = ""; + const char* crypto_type = ""; bool mutual = true; - char* app_id = NULL; + const char* app_id = NULL; int opt; do { opt = getopt_long(argc, argv, short_options, long_options, NULL); From bcbd018c6eb2e4ed4ad84f2c745fb3d0b48e5c95 Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Wed, 19 Nov 2025 11:29:40 +0000 Subject: [PATCH 4/5] fix: enforce const on immutable values --- .../secret-provider-agent/src/secret_provider_agent.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c index 0049bc3..29b36e0 100644 --- a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c +++ b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c @@ -49,7 +49,7 @@ char* get_secret_from_sbs_through_rats_tls(rats_tls_log_level_t log_level, const char* tls_type, const char* crypto_type, bool mutual, - char* ip, + const char* ip, int port, const char* app_id) { @@ -223,10 +223,10 @@ int main(int argc, char** argv) { char* secret = ""; LOG_INFO("Try to get key from SBS"); - char* secret_save_path = NULL; + const char* secret_save_path = NULL; char* sbs_endpoint = NULL; - char* srv_ip = NULL; - char* str_port = NULL; + const char* srv_ip = NULL; + const char* str_port = NULL; int port; char* const short_options = "a:v:t:c:ml:s:i:e:h"; From 4488df8096ae28ca63b44bfd411301c682d82806 Mon Sep 17 00:00:00 2001 From: aghiles-ait Date: Wed, 19 Nov 2025 15:30:31 +0000 Subject: [PATCH 5/5] fix: replace strtok with strchr to avoid modifying sbsEndpoint variable --- .../src/secret_provider_agent.c | 41 ++++++++++++------- 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c index 29b36e0..3afcbbb 100644 --- a/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c +++ b/cvmassistants/secretprovider/secret-provider-agent/src/secret_provider_agent.c @@ -224,8 +224,8 @@ int main(int argc, char** argv) { LOG_INFO("Try to get key from SBS"); const char* secret_save_path = NULL; - char* sbs_endpoint = NULL; - const char* srv_ip = NULL; + const char* sbs_endpoint = NULL; + char ip_buf[INET_ADDRSTRLEN]; const char* str_port = NULL; int port; @@ -329,20 +329,33 @@ int main(int argc, char** argv) { LOG_DEBUG("Config of SBS endpoint is %s", sbs_endpoint); - srv_ip = strtok(sbs_endpoint, ":"); - if (srv_ip == NULL) { - LOG_ERROR("sbsEndpoint format error: missing IP address, eg: 127.0.0.1"); + const char* colon = strchr(sbs_endpoint, ':'); + if (colon == NULL) { + LOG_ERROR("sbsEndpoint format error: missing ':', eg: 127.0.0.1:5443"); + return -1; + } + + size_t ip_len = colon - sbs_endpoint; + if (ip_len == 0) { + LOG_ERROR("sbsEndpoint format error: missing IP address"); + return -1; + } + if (ip_len >= INET_ADDRSTRLEN) { + LOG_ERROR("sbsEndpoint format error: IP address too long"); + return -1; + } + + memcpy(ip_buf, sbs_endpoint, ip_len); + ip_buf[ip_len] = '\0'; + + struct in_addr test_addr; + if (inet_pton(AF_INET, ip_buf, &test_addr) != 1) { + LOG_ERROR("Invalid IP address format: %s", ip_buf); return -1; - }else{ - struct in_addr test_addr; - if (inet_pton(AF_INET, srv_ip, &test_addr) != 1) { - LOG_ERROR("Invalid IP address format: %s", srv_ip); - return -1; - } } - str_port = strtok(NULL, ":"); - if (str_port == NULL) { + str_port = colon + 1; + if (*str_port == '\0') { LOG_ERROR("sbsEndpoint format error: missing port, eg: 5443"); return -1; } @@ -363,7 +376,7 @@ int main(int argc, char** argv) { } secret = get_secret_from_sbs_through_rats_tls(log_level, attester_type, verifier_type, - tls_type, crypto_type, mutual, srv_ip, + tls_type, crypto_type, mutual, ip_buf, port, app_id); if (secret == NULL) { LOG_ERROR("Get secret from SBS failed");