Skip to content

Commit

Permalink
Merge pull request #1366 from yast/huha-pw-leak-master
Browse files Browse the repository at this point in the history
Guard secret attributes against leaking to the logs [master]
  • Loading branch information
shundhammer authored Mar 13, 2024
2 parents 2ac81c0 + c974a08 commit 06af314
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 5 deletions.
6 changes: 6 additions & 0 deletions package/yast2-network.changes
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
-------------------------------------------------------------------
Wed Mar 13 14:20:25 UTC 2024 - Stefan Hundhammer <[email protected]>

- Guard secret attributes against leaking to the log (bsc#1221194)
- 5.0.3

-------------------------------------------------------------------
Tue Jan 16 10:34:01 UTC 2024 - Knut Anderssen <[email protected]>

Expand Down
2 changes: 1 addition & 1 deletion package/yast2-network.spec
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@


Name: yast2-network
Version: 5.0.2
Version: 5.0.3
Release: 0
Summary: YaST2 - Network Configuration
License: GPL-2.0-only
Expand Down
14 changes: 10 additions & 4 deletions src/lib/y2network/connection_config/wireless.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,14 @@

require "y2network/connection_config/base"
require "yast2/equatable"
require "yast2/secret_attributes"

module Y2Network
module ConnectionConfig
# Configuration for wireless connections
class Wireless < Base
include Yast2::Equatable
include Yast2::SecretAttributes

# wireless options
#
Expand All @@ -37,13 +39,15 @@ class Wireless < Base
attr_accessor :nwid
# @return [Symbol] Authorization mode (:open, :shared, :psk, :eap)
attr_accessor :auth_mode

# FIXME: Consider moving keys to different classes.
# @return [String] WPA preshared key
attr_accessor :wpa_psk
secret_attr :wpa_psk
# @return [Integer]
attr_accessor :key_length

# @return [Array<String>] WEP keys
attr_accessor :keys
secret_attr :keys
# @return [Integer] default WEP key
attr_accessor :default_key
# @return [String]
Expand All @@ -63,9 +67,10 @@ class Wireless < Base
# FIXME: Consider an enum
# @return [Integer] (0, 1, 2)
attr_accessor :ap_scanmode

# TODO: unify psk and password and write correct one depending on mode
# @return [String]
attr_accessor :wpa_password
secret_attr :wpa_password
# @return [String]
attr_accessor :wpa_identity
# @return [String] initial identity used for creating tunnel
Expand All @@ -76,8 +81,9 @@ class Wireless < Base
attr_accessor :client_cert
# @return [String] client private key used to encrypt for TLS
attr_accessor :client_key

# @return [String] client private key password
attr_accessor :client_key_password
secret_attr :client_key_password

def initialize
super
Expand Down
41 changes: 41 additions & 0 deletions test/y2network/config_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -604,4 +604,45 @@
expect(new_config.connections).to eq(updated_connections)
end
end

context "secret attributes (passwords, keys)" do
let(:conn) do
Y2Network::ConnectionConfig::Wireless.new.tap do |c|
c.wpa_psk = "s3cr3t"
c.wpa_password = "s3cr3t"
c.client_key_password = "s3cr3t"
end
end

describe ".inspect" do
it "does not leak a password" do
expect(conn.inspect).to_not match(/s3cr3t/)
end

it "contains <secret> instead of passwords" do
expect(conn.inspect).to match(/<secret>/)
end
end

describe ".to_s" do
it "does not leak a password" do
# it's usually something like
# "#<Y2Network::ConnectionConfig::Wireless:0x000055b752576318>"
# so there shouldn't be any attributes - just making sure
expect(conn.to_s).to_not match(/s3cr3t/)
end
end

describe ".wpa_psk" do
it "returns the real password" do
expect(conn.wpa_psk).to eq("s3cr3t")
end
end

describe ".wpa_psk.to_s" do
it "returns the real password" do
expect(conn.wpa_psk.to_s).to eq("s3cr3t")
end
end
end
end

0 comments on commit 06af314

Please sign in to comment.