gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:21:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0725713e19d51213826d8afb3b06cac48e51ddb9
certctl/internal/validation/command.go
T
shankar0123 3e3e68fd3a fix(security): TICKET-009 add HTTP timeouts to notifier clients 
- Added TestSlack_ClientHasTimeout to verify 10-second timeout
- Added TestTeams_ClientHasTimeout to verify 10-second timeout
- Added TestPagerDuty_ClientHasTimeout to verify 10-second timeout
- Added TestOpsGenie_ClientHasTimeout to verify 10-second timeout
- All notifiers already configured with 10 second timeout in New()
- Tests verify timeout is set and matches expected value
2026-03-27 21:33:31 -04:00

149 lines
5.0 KiB
Go
Raw Blame History

// Package validation provides security-focused input validation functions for certctl.
//
// This package enforces strict input validation to prevent injection attacks,
// including command injection in shell-based connectors and DNS injection in ACME handlers.
package validation
import (
"fmt"
"regexp"
"strings"
)
// ValidateShellCommand validates that a command string does not contain shell metacharacters
// that could enable command injection. Commands should not contain:
// - Shell operators: ; | & $ ` ( ) { } < > \\ "
// - Newlines or other control characters
//
// This validation is intentionally strict to prevent any possibility of
// shell injection, even in unexpected contexts. Commands should be simple,
// executable names or paths without complex shell syntax.
//
// Returns an error if metacharacters are detected.
func ValidateShellCommand(cmd string) error {
if cmd == "" {
return fmt.Errorf("command cannot be empty")
}
if len(cmd) > 1024 {
return fmt.Errorf("command exceeds maximum length (1024 characters)")
}
// List of shell metacharacters that indicate potential injection
dangerousChars := []string{
";", "|", "&", "$", "`", "(", ")", "{", "}", "<", ">", "\\", "\"", "'", "\n", "\r", "\x00",
}
for _, char := range dangerousChars {
if strings.Contains(cmd, char) {
return fmt.Errorf("command contains shell metacharacter %q (potential injection)", char)
}
}
return nil
}
// ValidateDomainName validates a domain name against RFC 1123 with support for wildcards.
// Valid domain names contain only:
// - Alphanumeric characters (a-z, A-Z, 0-9)
// - Hyphens (-)
// - Dots (.) as separators
// - Optional wildcard prefix: *.
//
// Examples of valid domains:
// - example.com
// - sub.example.com
// - *.example.com
// - example.co.uk
//
// Returns an error if the domain contains invalid characters or is malformed.
func ValidateDomainName(domain string) error {
if domain == "" {
return fmt.Errorf("domain cannot be empty")
}
if len(domain) > 253 {
return fmt.Errorf("domain exceeds maximum length (253 characters)")
}
// Regular expression for RFC 1123 domain names with wildcard support
// Pattern explanation:
// ^(\*\.)? - Optional wildcard prefix
// ([a-zA-Z0-9](-?[a-zA-Z0-9])*\.)* - Subdomains (labels separated by dots)
// [a-zA-Z0-9](-?[a-zA-Z0-9])*$ - Top-level domain label
domainRegex := regexp.MustCompile(`^(\*\.)?([a-zA-Z0-9](-?[a-zA-Z0-9])*\.)*[a-zA-Z0-9](-?[a-zA-Z0-9])*$`)
if !domainRegex.MatchString(domain) {
return fmt.Errorf("domain %q is invalid (must match RFC 1123 format)", domain)
}
// Additional check: no double dots
if strings.Contains(domain, "..") {
return fmt.Errorf("domain %q contains consecutive dots", domain)
}
// Additional check: labels cannot start or end with hyphen
labels := strings.Split(domain, ".")
for _, label := range labels {
// Skip wildcard label
if label == "*" {
continue
}
if strings.HasPrefix(label, "-") || strings.HasSuffix(label, "-") {
return fmt.Errorf("domain label %q cannot start or end with hyphen", label)
}
if len(label) > 63 {
return fmt.Errorf("domain label %q exceeds maximum length (63 characters)", label)
}
}
return nil
}
// ValidateACMEToken validates that an ACME token contains only safe characters.
// ACME tokens should contain only base64url-safe characters:
// - Alphanumeric (a-z, A-Z, 0-9)
// - Hyphens (-)
// - Underscores (_)
//
// This prevents injection attacks if tokens are used in shell commands
// or other contexts where special characters could be interpreted.
//
// Returns an error if the token contains unsafe characters.
func ValidateACMEToken(token string) error {
if token == "" {
return fmt.Errorf("ACME token cannot be empty")
}
if len(token) > 512 {
return fmt.Errorf("ACME token exceeds maximum length (512 characters)")
}
// Regular expression for base64url characters: [A-Za-z0-9_-]
tokenRegex := regexp.MustCompile(`^[A-Za-z0-9_-]+$`)
if !tokenRegex.MatchString(token) {
return fmt.Errorf("ACME token contains invalid characters (must be base64url-safe)")
}
return nil
}
// SanitizeForShell escapes a string to make it safe for use in shell commands.
// This is a defense-in-depth measure for cases where shell execution cannot be avoided.
//
// The sanitization wraps the string in single quotes and escapes any embedded
// single quotes by closing the quote, adding an escaped quote, and reopening.
// This prevents the string from being interpreted as shell code.
//
// Example: "hello'world" becomes "'hello'\"'\"'world'"
//
// Note: This should only be used as a last resort. Prefer alternatives such as:
// - Passing arguments directly to exec.Command instead of via shell
// - Using environment variables instead of shell substitution
// - Validating input strictly with ValidateShellCommand, ValidateDomainName, etc.
func SanitizeForShell(s string) string {
// Escape single quotes by closing the quote, adding an escaped quote, and reopening
return "'" + strings.ReplaceAll(s, "'", "'\"'\"'") + "'"
}
Reference in New Issue View Git Blame Copy Permalink