search

roddhjav / pass-audit

A pass extension for auditing your password repository.
https://www.passwordstore.org/
GNU General Public License v3.0
93 stars 18 forks source link

terminate the GnuPG commandline #28

Closed anarcat closed 2 years ago

anarcat commented 2 years ago

This is a safety measure to ensure that GnuPG may not be fed arbitrary commandline arguments from the .gpg-id file. Normally, that file is considered trusted, but it might be possible, in a multi-user password-store, that it contains untrusted input from other users, even if signed.

In that sense, it's technically possible for other users to add arbitrary content in there, and therefore arbitrary commandline arguments to GnuPG. There are two things that mitigate that possible security issue already:

  1. each .gpg-id line is passed individually, in a list, so it will not get expanded by a shell, which also means only a single argument can be passed

  2. the --list-keys argument is already passed, so it is probably not possible to change the "mode" of GnuPG (say make it encrypt or sign content)

However, the GnuPG commandline interface being particularly unscrutable, it seems safer to terminate the commandline using the colloquial --.

roddhjav commented 2 years ago

Thank a lot for your work and your recommendation on this issue.

If you wish, you can also create the same PR in pass-import as it use the same code: https://github.com/roddhjav/pass-import/blob/47f8b3a8654a7b9a775f7f7b50b93b24c5df85f4/pass_import/managers/passwordstore.py#L209

anarcat commented 2 years ago

If you wish, you can also create the same PR in pass-import as it use the same code:

done