To fix the problem, we need to replace the insecure HostKeyCallback implementation with a secure one. The best way to do this is to use the ssh.FixedHostKey function, which validates the host key against a predefined allow list. This involves reading the allowed host key from a file and using it to create the ssh.ClientConfig.
Read the allowed host key from a file.
Parse the host key using ssh.ParsePublicKey.
Use the parsed key with ssh.FixedHostKey to set the HostKeyCallback field in ssh.ClientConfig.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Fixes https://github.com/cloud-barista/cb-tumblebug/security/code-scanning/507
To fix the problem, we need to replace the insecure
HostKeyCallbackimplementation with a secure one. The best way to do this is to use thessh.FixedHostKeyfunction, which validates the host key against a predefined allow list. This involves reading the allowed host key from a file and using it to create thessh.ClientConfig.ssh.ParsePublicKey.ssh.FixedHostKeyto set theHostKeyCallbackfield inssh.ClientConfig.Suggested fixes powered by Copilot Autofix. Review carefully before merging.