search

square / keywhiz

A system for distributing and managing secrets
https://square.github.io/keywhiz/
Apache License 2.0
2.62k stars 216 forks source link

Keywhiz has inconsistencies in filename enforcement #170

Open sqshh opened 8 years ago

sqshh commented 8 years ago

As evidenced by this output:

keywhiz.cli describe secret --name shh.2016-01-26T23:49:27Z.key
Exception in thread "main" java.lang.IllegalArgumentException: Invalid name, must match ^[a-zA-Z_0-9\-.]+$
    at keywhiz.cli.commands.DescribeAction.run(DescribeAction.java:58)
    at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:141)
    at keywhiz.cli.CliMain.main(CliMain.java:68)

This secret was added via the automation API and otherwise is served and is displayed correctly.

alokmenghrajani commented 8 years ago

We should remove the check in the cli and enforce (if we wish to) on the server side. Given that the secrets end up being accessed via a file system API, limiting the name to some subset of characters we know work across platforms is probably going to be a good idea.