Merge branch 'feature/kshark-enhancements-round-1'

Author: kamir

client-sec-test.properties

@@ -0,0 +1,4 @@
+# Properties for security testing
+bootstrap.servers=localhost:9092
+schema.registry.url=http://localhost:8081
+basic.auth.user.info=testuser:testpassword

cmd/kshark/main.go

@@ -36,6 +36,8 @@ import (
 	"strings"
 	"time"
 
+	"regexp"
+
 	"github.com/segmentio/kafka-go"
 	"github.com/segmentio/kafka-go/sasl"
 	"github.com/segmentio/kafka-go/sasl/plain"
@@ -824,7 +826,19 @@ func runCmdIfExists(name string, args ...string) (string, error) {
 	return buf.String(), err
 }
 
+// isValidHostname checks if the hostname is valid and doesn't contain malicious characters.
+func isValidHostname(host string) bool {
+	// Regex to match a valid hostname (alphanumeric, hyphens, periods).
+	// It explicitly disallows characters like ';', '&', '|', '`', '$', '(', ')', etc.
+	re := regexp.MustCompile(`^[a-zA-Z0-9\.\-]+$`)
+	return re.MatchString(host)
+}
+
 func bestEffortTraceroute(r *Report, host string) {
+	if !isValidHostname(host) {
+		addRow(r, Row{"diag", host, DIAG, FAIL, "Invalid hostname provided", "Skipping traceroute to prevent command injection."})
+		return
+	}
 	// Linux: traceroute or tracepath; macOS: traceroute; Windows: tracert
 	if out, err := runCmdIfExists("traceroute", "-n", "-w", "2", "-q", "1", host); err == nil {
 		addRow(r, Row{"diag", host, DIAG, OK, "traceroute OK (see JSON)", ""})
@@ -845,6 +859,10 @@ func bestEffortTraceroute(r *Report, host string) {
 }
 
 func mtuCheck(r *Report, host string) {
+	if !isValidHostname(host) {
+		addRow(r, Row{"diag", host, DIAG, FAIL, "Invalid hostname provided", "Skipping MTU check to prevent command injection."})
+		return
+	}
 	// Linux tracepath usually reports pMTU; otherwise try ping DF
 	if out, err := runCmdIfExists("tracepath", host); err == nil && strings.Contains(out, "pmtu") {
 		addRow(r, Row{"diag", host, DIAG, OK, "pMTU detected via tracepath", ""})
@@ -1150,11 +1168,13 @@ endScan:
 	printPretty(report)
 
 	if *jsonOut != "" {
-		if err := writeJSON(*jsonOut, report); err != nil {
-			fmt.Fprintf(os.Stderr, "write json: %v\n", err)
+		actualPath, err := writeJSON(*jsonOut, report)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error writing JSON report: %v\n", err)
 			os.Exit(1)
 		}
-		fmt.Printf("JSON report written to %s\n", *jsonOut)
+		absPath, _ := filepath.Abs(actualPath)
+		fmt.Printf("JSON report written to %s\n", absPath)
 	}
 
 	if *analyze && !*noAI {
@@ -1274,28 +1294,53 @@ func writeHTMLReport(r *Report, analysis *AIAnalysisResponse) (string, error) {
 	return reportPath, nil
 }
 
-func writeJSON(path string, r *Report) error {
+func createSafeReportPath(userInputPath string, safeSubDir string) (string, error) {
+	if userInputPath == "" {
+		return "", errors.New("output path cannot be empty")
+	}
+
+	// Sanitize the filename by stripping any directory components
+	cleanFilename := filepath.Base(userInputPath)
+	if cleanFilename == "." || cleanFilename == "/" || cleanFilename == ".." {
+		return "", fmt.Errorf("invalid filename provided: %s", userInputPath)
+	}
+
+	// Ensure the safe subdirectory exists
+	if err := os.MkdirAll(safeSubDir, 0755); err != nil {
+		return "", fmt.Errorf("could not create reports directory '%s': %w", safeSubDir, err)
+	}
+
+	// Join the safe directory and the clean filename
+	safePath := filepath.Join(safeSubDir, cleanFilename)
+	return safePath, nil
+}
+
+func writeJSON(path string, r *Report) (string, error) {
 	if path == "" {
-		return nil
+		return "", nil
 	}
-	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
-		return err
+
+	safePath, err := createSafeReportPath(path, "reports")
+	if err != nil {
+		return "", fmt.Errorf("invalid output path: %w", err)
 	}
-	f, err := os.Create(path)
+
+	f, err := os.Create(safePath)
 	if err != nil {
-		return err
+		return safePath, err
 	}
 	defer f.Close()
+
 	enc := json.NewEncoder(f)
 	enc.SetIndent("", "  ")
-	return enc.Encode(r)
+	return safePath, enc.Encode(r)
 }
 
 func redactProps(p map[string]string) map[string]string {
 	out := map[string]string{}
 	for k, v := range p {
 		lk := strings.ToLower(k)
-		if strings.Contains(lk, "password") || strings.Contains(lk, "secret") || k == "sasl.oauthbearer.token" || strings.Contains(lk, "key") {
+		if strings.Contains(lk, "password") || strings.Contains(lk, "secret") || k == "sasl.oauthbearer.token" || strings.Contains(lk, "key") || k == "basic.auth.user.info" {
 			out[k] = "***"
 		} else {
 			out[k] = v

kshark

@@ -0,0 +1,127 @@
+{
+  "rows": [
+    {
+      "component": "kafka",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud",
+      "layer": "L3-Network",
+      "status": "OK",
+      "detail": "Resolved host"
+    },
+    {
+      "component": "kafka",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud:9092",
+      "layer": "L4-TCP",
+      "status": "OK",
+      "detail": "Connected in 134ms"
+    },
+    {
+      "component": "kafka",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud:9092",
+      "layer": "L5-6-TLS",
+      "status": "OK",
+      "detail": "TLS 303; peer=*.cert-intl-gkyqm625.us-east1.gcp.confluent.cloud; expires=2025-10-12"
+    },
+    {
+      "component": "kafka",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud:9092",
+      "layer": "L7-Kafka",
+      "status": "OK",
+      "detail": "ApiVersions OK"
+    },
+    {
+      "component": "kafka",
+      "target": "",
+      "layer": "L7-Kafka",
+      "status": "FAIL",
+      "detail": "Topic not found / not authorized (DescribeTopic).",
+      "hint": "Grant Describe on topic or create it."
+    },
+    {
+      "component": "diag",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud",
+      "layer": "Diag",
+      "status": "OK",
+      "detail": "traceroute OK (see JSON)"
+    },
+    {
+      "component": "diag",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud",
+      "layer": "Diag",
+      "status": "SKIP",
+      "detail": "traceroute to pkc-619z3.us-east1.gcp.confluent.cloud (35.231.227.240), 64 hops max, 40 byte packets\n 1  192.168.0.1  2.189 ms\n 2  192.168.2.1  2.604 ms\n 3  62.155.247.158  8.347 ms\n 4  62.154.4.230  16.313 ms\n 5  80.150.170.70  15.908 ms\n 6  35.231.227.240  121.773 ms\n",
+      "hint": "Full output in JSON if -json used."
+    },
+    {
+      "component": "diag",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud",
+      "layer": "Diag",
+      "status": "OK",
+      "detail": "MTU ok at payload 1464"
+    },
+    {
+      "component": "schema-reg",
+      "target": "psrc-lo5k9.eu-central-1.aws.confluent.cloud",
+      "layer": "L3-Network",
+      "status": "OK",
+      "detail": "Resolved host"
+    },
+    {
+      "component": "schema-reg",
+      "target": "https://psrc-lo5k9.eu-central-1.aws.confluent.cloud",
+      "layer": "L7-HTTP",
+      "status": "OK",
+      "detail": "GET /subjects OK"
+    }
+  ],
+  "summary": {
+    "Diag": {
+      "ok": 2,
+      "warn": 0,
+      "fail": 0,
+      "skip": 1
+    },
+    "L3-Network": {
+      "ok": 2,
+      "warn": 0,
+      "fail": 0,
+      "skip": 0
+    },
+    "L4-TCP": {
+      "ok": 1,
+      "warn": 0,
+      "fail": 0,
+      "skip": 0
+    },
+    "L5-6-TLS": {
+      "ok": 1,
+      "warn": 0,
+      "fail": 0,
+      "skip": 0
+    },
+    "L7-HTTP": {
+      "ok": 1,
+      "warn": 0,
+      "fail": 0,
+      "skip": 0
+    },
+    "L7-Kafka": {
+      "ok": 1,
+      "warn": 0,
+      "fail": 1,
+      "skip": 0
+    }
+  },
+  "started_at": "2025-09-11T09:45:55.296994+02:00",
+  "finished_at": "2025-09-11T09:46:08.414219+02:00",
+  "config_echo": {
+    "basic.auth.credentials.source": "USER_INFO",
+    "basic.auth.user.info": "***",
+    "bootstrap.servers": "pkc-619z3.us-east1.gcp.confluent.cloud:9092",
+    "sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username='5DIC7ADQTDV43IZN' password='cflt/DOxaMUtNPon0Ko/OteSVYKi7LSpVjjhSJcgmW+6MEJyW8bc/PofsiXX+k3Q';",
+    "sasl.mechanism": "PLAIN",
+    "sasl.password": "***",
+    "sasl.username": "5DIC7ADQTDV43IZN",
+    "schema.registry.url": "https://psrc-lo5k9.eu-central-1.aws.confluent.cloud",
+    "security.protocol": "SASL_SSL"
+  }
+}

my-report.json

@@ -0,0 +1,127 @@
+{
+  "rows": [
+    {
+      "component": "kafka",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud",
+      "layer": "L3-Network",
+      "status": "OK",
+      "detail": "Resolved host"
+    },
+    {
+      "component": "kafka",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud:9092",
+      "layer": "L4-TCP",
+      "status": "OK",
+      "detail": "Connected in 133ms"
+    },
+    {
+      "component": "kafka",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud:9092",
+      "layer": "L5-6-TLS",
+      "status": "OK",
+      "detail": "TLS 303; peer=*.cert-intl-gkyqm625.us-east1.gcp.confluent.cloud; expires=2025-10-12"
+    },
+    {
+      "component": "kafka",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud:9092",
+      "layer": "L7-Kafka",
+      "status": "OK",
+      "detail": "ApiVersions OK"
+    },
+    {
+      "component": "kafka",
+      "target": "",
+      "layer": "L7-Kafka",
+      "status": "FAIL",
+      "detail": "Topic not found / not authorized (DescribeTopic).",
+      "hint": "Grant Describe on topic or create it."
+    },
+    {
+      "component": "diag",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud",
+      "layer": "Diag",
+      "status": "OK",
+      "detail": "traceroute OK (see JSON)"
+    },
+    {
+      "component": "diag",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud",
+      "layer": "Diag",
+      "status": "SKIP",
+      "detail": "traceroute to pkc-619z3.us-east1.gcp.confluent.cloud (35.231.227.240), 64 hops max, 40 byte packets\n 1  192.168.0.1  2.352 ms\n 2  192.168.2.1  3.027 ms\n 3  62.155.247.158  8.710 ms\n 4  62.154.4.226  18.852 ms\n 5  80.150.170.70  15.815 ms\n 6  35.231.227.240  118.944 ms\n",
+      "hint": "Full output in JSON if -json used."
+    },
+    {
+      "component": "diag",
+      "target": "pkc-619z3.us-east1.gcp.confluent.cloud",
+      "layer": "Diag",
+      "status": "OK",
+      "detail": "MTU ok at payload 1464"
+    },
+    {
+      "component": "schema-reg",
+      "target": "psrc-lo5k9.eu-central-1.aws.confluent.cloud",
+      "layer": "L3-Network",
+      "status": "OK",
+      "detail": "Resolved host"
+    },
+    {
+      "component": "schema-reg",
+      "target": "https://psrc-lo5k9.eu-central-1.aws.confluent.cloud",
+      "layer": "L7-HTTP",
+      "status": "OK",
+      "detail": "GET /subjects OK"
+    }
+  ],
+  "summary": {
+    "Diag": {
+      "ok": 2,
+      "warn": 0,
+      "fail": 0,
+      "skip": 1
+    },
+    "L3-Network": {
+      "ok": 2,
+      "warn": 0,
+      "fail": 0,
+      "skip": 0
+    },
+    "L4-TCP": {
+      "ok": 1,
+      "warn": 0,
+      "fail": 0,
+      "skip": 0
+    },
+    "L5-6-TLS": {
+      "ok": 1,
+      "warn": 0,
+      "fail": 0,
+      "skip": 0
+    },
+    "L7-HTTP": {
+      "ok": 1,
+      "warn": 0,
+      "fail": 0,
+      "skip": 0
+    },
+    "L7-Kafka": {
+      "ok": 1,
+      "warn": 0,
+      "fail": 1,
+      "skip": 0
+    }
+  },
+  "started_at": "2025-09-11T09:51:08.335438+02:00",
+  "finished_at": "2025-09-11T09:51:21.413915+02:00",
+  "config_echo": {
+    "basic.auth.credentials.source": "USER_INFO",
+    "basic.auth.user.info": "***",
+    "bootstrap.servers": "pkc-619z3.us-east1.gcp.confluent.cloud:9092",
+    "sasl.jaas.config": "org.apache.kafka.common.security.plain.PlainLoginModule required username='5DIC7ADQTDV43IZN' password='cflt/DOxaMUtNPon0Ko/OteSVYKi7LSpVjjhSJcgmW+6MEJyW8bc/PofsiXX+k3Q';",
+    "sasl.mechanism": "PLAIN",
+    "sasl.password": "***",
+    "sasl.username": "5DIC7ADQTDV43IZN",
+    "schema.registry.url": "https://psrc-lo5k9.eu-central-1.aws.confluent.cloud",
+    "security.protocol": "SASL_SSL"
+  }
+}