Merge pull request #4762 from jmcrawford45/PS-5627-vault-dos

Fix various regex security vulns

Author: jmcrawford45

lemur/authorities/schemas.py

@@ -98,6 +98,7 @@ class AuthorityUpdateSchema(LemurInputSchema):
     description = fields.String()
     active = fields.Boolean(missing=True)
     roles = fields.Nested(AssociatedRoleSchema(many=True))
+    options = fields.String()
 
 
 class RootAuthorityCertificateOutputSchema(LemurOutputSchema):

lemur/plugins/lemur_acme/plugin.py

@@ -47,7 +47,7 @@ class ACMEIssuerPlugin(IssuerPlugin):
             "name": "acme_url",
             "type": "str",
             "required": True,
-            "validation": check_validation(r"http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"),
+            "validation": check_validation(r"http[s]?://(?:[a-zA-Z]|[0-9]|[$_@.&+-]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"),
             "helpMessage": "ACME resource URI. Must be a valid web url starting with http[s]://",
         },
         {
@@ -342,7 +342,7 @@ class ACMEHttpIssuerPlugin(IssuerPlugin):
             "name": "acme_url",
             "type": "str",
             "required": True,
-            "validation": check_validation(r"http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"),
+            "validation": check_validation(r"http[s]?://(?:[a-zA-Z]|[0-9]|[$_@.&+-]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"),
             "helpMessage": "Must be a valid web url starting with http[s]://",
         },
         {

lemur/plugins/lemur_azure_dest/plugin.py

@@ -122,7 +122,7 @@ class AzureDestinationPlugin(DestinationPlugin):
             "name": "azurePassword",
             "type": "str",
             "required": True,
-            "validation": check_validation("[0-9a-zA-Z.:_-~]+"),
+            "validation": check_validation("[0-9a-zA-Z.:_~-]+"),
             "helpMessage": "Tenant password for the Azure Key Vault",
         }
     ]

lemur/plugins/lemur_vault_dest/plugin.py

@@ -62,8 +62,8 @@ class VaultSourcePlugin(SourcePlugin):
             "name": "tokenFileOrVaultRole",
             "type": "str",
             "required": True,
-            "validation": check_validation("^([a-zA-Z0-9/._-]+/?)+$"),
-            "helpMessage": "Must be vaild file path for token based auth and valid role if k8s based auth",
+            "validation": check_validation("^[a-zA-Z0-9/._-]+/?$"),
+            "helpMessage": "Must be valid file path for token based auth and valid role if k8s based auth",
         },
         {
             "name": "vaultMount",
@@ -189,7 +189,7 @@ class VaultDestinationPlugin(DestinationPlugin):
             "name": "tokenFileOrVaultRole",
             "type": "str",
             "required": True,
-            "validation": check_validation("^([a-zA-Z0-9/._-]+/?)+$"),
+            "validation": check_validation("^[a-zA-Z0-9/._-]+/?$"),
             "helpMessage": "Must be vaild file path for token based auth and valid role if k8s based auth",
         },
         {
@@ -203,15 +203,17 @@ class VaultDestinationPlugin(DestinationPlugin):
             "name": "vaultPath",
             "type": "str",
             "required": True,
-            "validation": check_validation("^(([a-zA-Z0-9._-]+|{(CN|OU|O|L|S|C)})+/?)+$"),
-            "helpMessage": "Must be a valid Vault secrets path. Support vars: {CN|OU|O|L|S|C}",
+            "validation": check_validation(
+                "^([a-zA-Z0-9._-]+|{CN}|{OU}|{O}|{L}|{S}|{C})(/?([a-zA-Z0-9._-]+|{CN}|{OU}|{O}|{L}|{S}|{C}))*$"),
+            "helpMessage": "Must be a valid Vault secrets path. Support vars: {CN}|{OU}|{O}|{L}|{S}|{C}",
         },
         {
             "name": "objectName",
             "type": "str",
             "required": False,
-            "validation": check_validation("^([0-9a-zA-Z.:_-]+|{(CN|OU|O|L|S|C)})+$"),
-            "helpMessage": "Name to bundle certs under, if blank use {CN}. Support vars: {CN|OU|O|L|S|C}",
+            "validation": check_validation(
+                "^([a-zA-Z0-9:._-]+|{CN}|{OU}|{O}|{L}|{S}|{C})(/?([a-zA-Z0-9._-]+|{CN}|{OU}|{O}|{L}|{S}|{C}))*$"),
+            "helpMessage": "Name to bundle certs under, if blank use {CN}. Support vars: {CN}|{OU}|{O}|{L}|{S}|{C}",
         },
         {
             "name": "bundleChain",

lemur/plugins/lemur_vault_dest/tests/plugin.py

@@ -2,6 +2,8 @@
 from lemur.plugins.bases import SourcePlugin
 import pytest
 
+from lemur.plugins.lemur_vault_dest.plugin import VaultSourcePlugin, VaultDestinationPlugin
+
 
 class TestSourcePlugin(SourcePlugin):
     title = "Test"
@@ -94,3 +96,49 @@ def test_vault_plugin_input_schema(session):
     assert not errors
     assert data
     assert "plugin_object" in data
+
+
+@pytest.mark.parametrize("option, value, valid", [
+    ("tokenFileOrVaultRole", "", False),
+    ("vaultPath", "", False),
+    ("tokenFileOrVaultRole", "/leading/slash", True),
+    ("vaultPath", "/leading/slash", False),
+    ("tokenFileOrVaultRole", "{CN}/subs", False),
+    ("vaultPath", "{CN}/subs", False),
+    ("tokenFileOrVaultRole", "/leading/slash", True),
+    ("vaultPath", "/leading/slash", False),
+    ("tokenFileOrVaultRole", "noslash", True),
+    ("vaultPath", "noslash", True),
+    ("tokenFileOrVaultRole", "some/random/file.json", True),
+    ("vaultPath", "some/random/file.json", True),
+])
+def test_source_options(option, value, valid):
+    plugin = VaultSourcePlugin()
+    if valid:
+        plugin.validate_option_value(option, value)
+    else:
+        with pytest.raises(ValueError):
+            plugin.validate_option_value(option, value)
+
+
+@pytest.mark.parametrize("option, value, valid", [
+    ("tokenFileOrVaultRole", "", False),
+    ("vaultPath", "", False),
+    ("tokenFileOrVaultRole", "/leading/slash", True),
+    ("vaultPath", "/leading/slash", False),
+    ("tokenFileOrVaultRole", "{CN}/subs", False),
+    ("vaultPath", "{CN}/subs", True),
+    ("tokenFileOrVaultRole", "/leading/slash", True),
+    ("vaultPath", "/leading/slash", False),
+    ("tokenFileOrVaultRole", "noslash", True),
+    ("vaultPath", "noslash", True),
+    ("tokenFileOrVaultRole", "some/random/file.json", True),
+    ("vaultPath", "some/random/file.json", True),
+])
+def test_dest_options(option, value, valid):
+    plugin = VaultDestinationPlugin()
+    if valid:
+        plugin.validate_option_value(option, value)
+    else:
+        with pytest.raises(ValueError):
+            plugin.validate_option_value(option, value)

lemur/tests/test_authorities.py

@@ -406,3 +406,37 @@ def test_authority_roles(client, session, issuer_plugin):
     )
     assert resp.status_code == 200
     assert len(resp.json["roles"]) == 0
+
+
+@pytest.mark.parametrize(
+    "token,authority_number,status",
+    [
+        (VALID_ADMIN_HEADER_TOKEN, 100, 200),
+    ],
+)
+def test_authorities_put_update_options(client, authority_number, token, status):
+    """
+    This test relies on the configuration option ADMIN_ONLY_AUTHORITY_CREATION = True, set in conf.py
+    """
+    data = {'name': f'testauthority{authority_number}', 'owner': 'test@example.com',
+            'common_name': 'testauthority1.example.com', "serial_number": 1,
+            "validityStart": "2023-07-12T07:00:00.000Z",
+            "validityEnd": "2050-07-13T07:00:00.000Z",
+            'plugin': {'slug': 'cryptography-issuer'}}
+    response = client.post(
+        api.url_for(AuthoritiesList),
+        data=json.dumps(data),
+        headers=token
+    )
+    assert response.status_code == status, f"expected code {status}, but actual code was {response.status_code}; error: {response.json}"
+    response = json.loads(
+        client.put(
+            api.url_for(Authorities, authority_id=1), data=json.dumps(
+                {'owner': 'updated@example.com',
+                 'description': 'updated',
+                 'roles': [],
+                 'options': json.dumps([{'updated': 'bar'}])}), headers=token
+        ).text
+    )
+    for field in ['owner', 'description', 'options']:
+        assert 'updated' in json.dumps(response[field])

requirements-dev.txt

@@ -298,7 +298,7 @@ jeepney==0.8.0
     # via
     #   keyring
     #   secretstorage
-jinja2==3.1.2
+jinja2==3.1.3
     # via
     #   -r requirements-tests.txt
     #   flask

requirements-docs.txt

@@ -327,7 +327,7 @@ javaobj-py3==0.4.3
     # via
     #   -r requirements-tests.txt
     #   pyjks
-jinja2==3.1.2
+jinja2==3.1.3
     # via
     #   -r requirements-tests.txt
     #   flask

requirements-tests.txt

@@ -255,7 +255,7 @@ javaobj-py3==0.4.3
     # via
     #   -r requirements.txt
     #   pyjks
-jinja2==3.1.2
+jinja2==3.1.3
     # via
     #   -r requirements.txt
     #   flask

requirements.txt

@@ -151,7 +151,7 @@ itsdangerous==2.1.2
     #   flask
 javaobj-py3==0.4.3
     # via pyjks
-jinja2==3.1.2
+jinja2==3.1.3
     # via
     #   -r requirements.in
     #   flask