Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade build-info-go to v1.10.2 #1029

Merged
merged 1 commit into from
Oct 10, 2024
Merged

Upgrade build-info-go to v1.10.2 #1029

merged 1 commit into from
Oct 10, 2024

Conversation

eyalbe4
Copy link
Contributor

@eyalbe4 eyalbe4 commented Oct 10, 2024

No description provided.

@eyalbe4 eyalbe4 added improvement Automatically generated release notes safe to test Approve running integration tests on a pull request labels Oct 10, 2024
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Oct 10, 2024
@eyalbe4 eyalbe4 changed the title build-info-go to v1.10.2 Upgrade build-info-go to v1.10.2 Oct 10, 2024
@github-actions GitHub Actions
Copy link
Contributor

🚨 Frogbot scanned this pull request and found the below:

@github-actions GitHub Actions
Copy link
Contributor 

{
		User: "admin",
		Auth: []ssh.AuthMethod{
			sshAuth,
		},
		//#nosec G106 -- Used to get ssh headers only.
		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
	}

at auth/sshlogin.go (line 67)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Low		 SSH key not verified properly, expired certificates may be accepted
Full description

Overview

SSH Keys Past Expiration is a vulnerability that occurs when SSH keys
used for authentication have expired. Expired keys can lead to
unauthorized access to systems and sensitive data, posing a security
risk to the organization.

Vulnerable example

package main

import (
    "golang.org/x/crypto/ssh"
    "net"
)

func main() {}

func insecureIgnoreHostKey() {
    _ = &ssh.ClientConfig{
        User:            "username",
        Auth:            []ssh.AuthMethod{nil},
        HostKeyCallback: ssh.InsecureIgnoreHostKey(),
    }
}

In this example, the InsecureIgnoreHostKey function is used to ignore
host key verification, which can lead to accepting expired or invalid
keys.

Remediation

package main

import (
    "golang.org/x/crypto/ssh"
    "net"
)

func main() {}

func secureHostKeyCallback() {
    publicKeyBytes, _ := ioutil.ReadFile("allowed_hostkey.pub")
    publicKey, _ := ssh.ParsePublicKey(publicKeyBytes)

    _ = &ssh.ClientConfig{
        User:            "username",
        Auth:            []ssh.AuthMethod{nil},
        HostKeyCallback: ssh.FixedHostKey(publicKey),
    }
}

By using allowed host keys and proper host key verification, we can
mitigate the risk of accepting expired or invalid SSH keys.

@eyalbe4 eyalbe4 merged commit 19f67fa into jfrog:dev Oct 10, 2024
27 of 28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
improvement Automatically generated release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@eyalbe4