Merge branch 'security-300265-13-18' into '13-18-stable'

Modify regex to prevent partial matches See merge request gitlab-org/security/gitlab-shell!8

Merge branch 'security-300265-13-18' into '13-18-stable'
d6b32537 · Patrick Bajao · 584643e0 · be84773e · d6b32537 · d6b32537
Commit d6b32537 authored 3 years ago by Patrick Bajao
--- a/CHANGELOG
+++ b/CHANGELOG
+v13.18.1
+
+- Modify regex to prevent partial matches
+
 v13.18.0

 - Fix thread-safety issues in gitlab-shell !463

--- a/VERSION
+++ b/VERSION
-13.18.0
+13.18.1
--- a/internal/command/commandargs/command_args_test.go
+++ b/internal/command/commandargs/command_args_test.go
@@ -23,13 +23,18 @@ func TestParseSuccess(t *testing.T) {
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{},
 			expectedArgs: &Shell{Arguments: []string{}, SshArgs: []string{}, CommandType: Discover, Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
-		},
-		{
+		}, {
 			desc:         "It finds the key id in any passed arguments",
 			executable:   &executable.Executable{Name: executable.GitlabShell},
 			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
 			arguments:    []string{"hello", "key-123"},
 			expectedArgs: &Shell{Arguments: []string{"hello", "key-123"}, SshArgs: []string{}, CommandType: Discover, GitlabKeyId: "123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
+		}, {
+			desc:         "It finds the key id only if the argument is of <key-id> format",
+			executable:   &executable.Executable{Name: executable.GitlabShell},
+			env:          sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"},
+			arguments:    []string{"hello", "username-key-123"},
+			expectedArgs: &Shell{Arguments: []string{"hello", "username-key-123"}, SshArgs: []string{}, CommandType: Discover, GitlabUsername: "key-123", Env: sshenv.Env{IsSSHConnection: true, RemoteAddr: "1"}},
 		}, {
 			desc:         "It finds the username in any passed arguments",
 			executable:   &executable.Executable{Name: executable.GitlabShell},

--- a/internal/command/commandargs/shell.go
+++ b/internal/command/commandargs/shell.go
@@ -20,8 +20,8 @@ const (
 )

 var (
-	whoKeyRegex      = regexp.MustCompile(`\bkey-(?P<keyid>\d+)\b`)
-	whoUsernameRegex = regexp.MustCompile(`\busername-(?P<username>\S+)\b`)
+	whoKeyRegex      = regexp.MustCompile(`\Akey-(?P<keyid>\d+)\z`)
+	whoUsernameRegex = regexp.MustCompile(`\Ausername-(?P<username>\S+)\z`)
 )

 type Shell struct {