fix: groupCreate: deny groups starting with 'key'

Mitigates #178
5 years ago · 344865884b
parent f4c59ca96b
commit 344865884b
2 changed files with 14 additions and 0 deletions
--- a/bin/plugin/restricted/groupCreate
+++ b/bin/plugin/restricted/groupCreate
@ -83,6 +83,14 @@ if (!$group || !$owner) {
    osh_exit 'ERR_MISSING_PARAMETER', "Group name or owner is missing";
 }

+# first, check that the name doesn't start with 'key' (see https://github.com/ovh/the-bastion/issues/178)
+# as the is_valid_group() internally automatically guesses whether the input is from a user (in that case
+# the $group is a bastion group name) or some other part of the code (in that case the $group might be
+# the name of the OS group mapped to the bastion group name, hence starting with 'key')
+if ($group =~ /^key/) {
+    osh_exit 'ERR_INVALID_PARAMETER', "The group name can't start with 'key' (reserved prefix)";
+}
+
 if ($algo && !$size && lc($algo) eq 'ed25519') {
    $size = 256;    # ed25519 size is always 256
 }
--- a/tests/functional/tests.d/350-groups.sh
+++ b/tests/functional/tests.d/350-groups.sh
@ -92,6 +92,12 @@ testsuite_groups()
    contain "minimum configured key size"
    json .command groupCreate .error_code KO_KEY_SIZE_TOO_SMALL .value      null

+    plgfail groupCreate a0_fail_create_group_reserved_1 $a0 --osh groupCreate --group key --no-key --owner $account1
+    json .command groupCreate .error_code ERR_INVALID_PARAMETER
+
+    plgfail groupCreate a0_fail_create_group_reserved_2 $a0 --osh groupCreate --group keytothegate --no-key --owner $account1
+    json .command groupCreate .error_code ERR_INVALID_PARAMETER
+
    success groupCreate a0_create_g1_with_a1_as_owner $a0 --osh groupCreate --group $group1 --algo rsa --size 4096 --owner $account1
    contain "The public key of this group is"
    json $(cat <<EOS