Merge branch 'main' into fix/issue-1

2026-02-20 08:58:43 +01:00 · 2026-02-20 08:58:43 +01:00 · d18e286377
commit d18e286377
parent c0f221b1ca f49fde3a06
7 changed files with 265 additions and 8 deletions
--- a/internal/cli/integration_test.go
+++ b/internal/cli/integration_test.go
@ -1047,7 +1047,6 @@ func test12SecretNameFormats(t *testing.T, tempDir, testMnemonic string, runSecr
 	// Test invalid secret names
 	invalidNames := []string{
 		"",                // empty
-		"UPPERCASE",       // uppercase not allowed
 		"with space",      // spaces not allowed
 		"with@symbol",     // special characters not allowed
 		"with#hash",       // special characters not allowed
@ -1073,7 +1072,7 @@ func test12SecretNameFormats(t *testing.T, tempDir, testMnemonic string, runSecr

 			// Some of these might not be invalid after all (e.g., leading/trailing slashes might be stripped, .hidden might be allowed)
 			// For now, just check the ones we know should definitely fail
-			definitelyInvalid := []string{"", "UPPERCASE", "with space", "with@symbol", "with#hash", "with$dollar"}
+			definitelyInvalid := []string{"", "with space", "with@symbol", "with#hash", "with$dollar"}
 			shouldFail := false
 			for _, invalid := range definitelyInvalid {
 				if invalidName == invalid {
--- a/internal/secret/derivation_index_test.go
+++ b/internal/secret/derivation_index_test.go
@ -0,0 +1,82 @@
+package secret
+
+import (
+	"encoding/json"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"git.eeqj.de/sneak/secret/pkg/agehd"
+	"github.com/awnumar/memguard"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// realVault is a minimal VaultInterface backed by a real afero filesystem,
+// using the same directory layout as vault.Vault.
+type realVault struct {
+	name     string
+	stateDir string
+	fs       afero.Fs
+}
+
+func (v *realVault) GetDirectory() (string, error) {
+	return filepath.Join(v.stateDir, "vaults.d", v.name), nil
+}
+func (v *realVault) GetName() string        { return v.name }
+func (v *realVault) GetFilesystem() afero.Fs { return v.fs }
+
+// Unused by getLongTermPrivateKey — these satisfy VaultInterface.
+func (v *realVault) AddSecret(string, *memguard.LockedBuffer, bool) error { panic("not used") }
+func (v *realVault) GetCurrentUnlocker() (Unlocker, error)               { panic("not used") }
+func (v *realVault) CreatePassphraseUnlocker(*memguard.LockedBuffer) (*PassphraseUnlocker, error) {
+	panic("not used")
+}
+
+// createRealVault sets up a complete vault directory structure on an in-memory
+// filesystem, identical to what vault.CreateVault produces.
+func createRealVault(t *testing.T, fs afero.Fs, stateDir, name string, derivationIndex uint32) *realVault {
+	t.Helper()
+
+	vaultDir := filepath.Join(stateDir, "vaults.d", name)
+	require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "secrets.d"), DirPerms))
+	require.NoError(t, fs.MkdirAll(filepath.Join(vaultDir, "unlockers.d"), DirPerms))
+
+	metadata := VaultMetadata{
+		CreatedAt:       time.Now(),
+		DerivationIndex: derivationIndex,
+	}
+	metaBytes, err := json.Marshal(metadata)
+	require.NoError(t, err)
+	require.NoError(t, afero.WriteFile(fs, filepath.Join(vaultDir, "vault-metadata.json"), metaBytes, FilePerms))
+
+	return &realVault{name: name, stateDir: stateDir, fs: fs}
+}
+
+func TestGetLongTermPrivateKeyUsesVaultDerivationIndex(t *testing.T) {
+	const testMnemonic = "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+
+	// Derive expected keys at two different indices to prove they differ.
+	key0, err := agehd.DeriveIdentity(testMnemonic, 0)
+	require.NoError(t, err)
+	key5, err := agehd.DeriveIdentity(testMnemonic, 5)
+	require.NoError(t, err)
+	require.NotEqual(t, key0.String(), key5.String(),
+		"sanity check: different derivation indices must produce different keys")
+
+	// Build a real vault with DerivationIndex=5 on an in-memory filesystem.
+	fs := afero.NewMemMapFs()
+	vault := createRealVault(t, fs, "/state", "test-vault", 5)
+
+	t.Setenv(EnvMnemonic, testMnemonic)
+
+	result, err := getLongTermPrivateKey(fs, vault)
+	require.NoError(t, err)
+	defer result.Destroy()
+
+	assert.Equal(t, key5.String(), string(result.Bytes()),
+		"getLongTermPrivateKey should derive at vault's DerivationIndex (5)")
+	assert.NotEqual(t, key0.String(), string(result.Bytes()),
+		"getLongTermPrivateKey must not use hardcoded index 0")
+}
--- a/internal/secret/keychainunlocker.go
+++ b/internal/secret/keychainunlocker.go
@ -251,8 +251,25 @@ func getLongTermPrivateKey(fs afero.Fs, vault VaultInterface) (*memguard.LockedB
 	// Check if mnemonic is available in environment variable
 	envMnemonic := os.Getenv(EnvMnemonic)
 	if envMnemonic != "" {
-		// Use mnemonic directly to derive long-term key
-		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, 0)
+		// Read vault metadata to get the correct derivation index
+		vaultDir, err := vault.GetDirectory()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get vault directory: %w", err)
+		}
+
+		metadataPath := filepath.Join(vaultDir, "vault-metadata.json")
+		metadataBytes, err := afero.ReadFile(fs, metadataPath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read vault metadata: %w", err)
+		}
+
+		var metadata VaultMetadata
+		if err := json.Unmarshal(metadataBytes, &metadata); err != nil {
+			return nil, fmt.Errorf("failed to parse vault metadata: %w", err)
+		}
+
+		// Use mnemonic with the vault's actual derivation index
+		ltIdentity, err := agehd.DeriveIdentity(envMnemonic, metadata.DerivationIndex)
 		if err != nil {
 			return nil, fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
 		}
--- a/internal/secret/secret_test.go
+++ b/internal/secret/secret_test.go
@ -257,9 +257,10 @@ func isValidSecretName(name string) bool {
 	if name == "" {
 		return false
 	}
-	// Valid characters for secret names: lowercase letters, numbers, dash, dot, underscore, slash
+	// Valid characters for secret names: letters, numbers, dash, dot, underscore, slash
 	for _, char := range name {
 		if (char < 'a' || char > 'z') && // lowercase letters
+			(char < 'A' || char > 'Z') && // uppercase letters
 			(char < '0' || char > '9') && // numbers
 			char != '-' && // dash
 			char != '.' && // dot
@ -283,7 +284,9 @@ func TestSecretNameValidation(t *testing.T) {
 		{"valid/path/name", true},
 		{"123valid", true},
 		{"", false},
-		{"Invalid-Name", false}, // uppercase not allowed
+		{"Valid-Upper-Name", true},                             // uppercase allowed
+		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},  // real-world uppercase key ID
+		{"MixedCase/Path/Name", true},                          // mixed case with path
 		{"invalid name", false}, // space not allowed
 		{"invalid@name", false}, // @ not allowed
 	}
--- a/internal/vault/path_traversal_test.go
+++ b/internal/vault/path_traversal_test.go
@ -0,0 +1,96 @@
+package vault
+
+import (
+	"testing"
+
+	"git.eeqj.de/sneak/secret/internal/secret"
+	"github.com/awnumar/memguard"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestGetSecretVersionRejectsPathTraversal verifies that GetSecretVersion
+// validates the secret name and rejects path traversal attempts.
+// This is a regression test for https://git.eeqj.de/sneak/secret/issues/13
+func TestGetSecretVersionRejectsPathTraversal(t *testing.T) {
+	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+
+	vlt, err := CreateVault(fs, stateDir, "test-vault")
+	require.NoError(t, err)
+
+	// Add a legitimate secret so the vault is set up
+	value := memguard.NewBufferFromBytes([]byte("legitimate-secret"))
+	err = vlt.AddSecret("legit", value, false)
+	require.NoError(t, err)
+
+	// These names contain path traversal and should be rejected
+	maliciousNames := []string{
+		"../../../etc/passwd",
+		"..%2f..%2fetc/passwd",
+		".secret",
+		"../sibling-vault/secrets.d/target",
+		"foo/../bar",
+		"a/../../etc/passwd",
+	}
+
+	for _, name := range maliciousNames {
+		t.Run(name, func(t *testing.T) {
+			_, err := vlt.GetSecretVersion(name, "")
+			assert.Error(t, err, "GetSecretVersion should reject malicious name: %s", name)
+			assert.Contains(t, err.Error(), "invalid secret name",
+				"error should indicate invalid name for: %s", name)
+		})
+	}
+}
+
+// TestGetSecretRejectsPathTraversal verifies GetSecret (which calls GetSecretVersion)
+// also rejects path traversal names.
+func TestGetSecretRejectsPathTraversal(t *testing.T) {
+	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+
+	vlt, err := CreateVault(fs, stateDir, "test-vault")
+	require.NoError(t, err)
+
+	_, err = vlt.GetSecret("../../../etc/passwd")
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "invalid secret name")
+}
+
+// TestGetSecretObjectRejectsPathTraversal verifies GetSecretObject
+// also validates names and rejects path traversal attempts.
+func TestGetSecretObjectRejectsPathTraversal(t *testing.T) {
+	testMnemonic := "abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about"
+	t.Setenv(secret.EnvMnemonic, testMnemonic)
+	t.Setenv(secret.EnvUnlockPassphrase, "test-passphrase")
+
+	fs := afero.NewMemMapFs()
+	stateDir := "/test/state"
+
+	vlt, err := CreateVault(fs, stateDir, "test-vault")
+	require.NoError(t, err)
+
+	maliciousNames := []string{
+		"../../../etc/passwd",
+		"foo/../bar",
+		"a/../../etc/passwd",
+	}
+
+	for _, name := range maliciousNames {
+		t.Run(name, func(t *testing.T) {
+			_, err := vlt.GetSecretObject(name)
+			assert.Error(t, err, "GetSecretObject should reject: %s", name)
+			assert.Contains(t, err.Error(), "invalid secret name")
+		})
+	}
+}
--- a/internal/vault/secrets.go
+++ b/internal/vault/secrets.go
@ -67,7 +67,7 @@ func (v *Vault) ListSecrets() ([]string, error) {
 	return secrets, nil
 }

-// isValidSecretName validates secret names according to the format [a-z0-9\.\-\_\/]+
+// isValidSecretName validates secret names according to the format [a-zA-Z0-9\.\-\_\/]+
 // but with additional restrictions:
 // - No leading or trailing slashes
 // - No double slashes
@ -92,8 +92,15 @@ func isValidSecretName(name string) bool {
 		return false
 	}

+	// Check for path traversal via ".." components
+	for _, part := range strings.Split(name, "/") {
+		if part == ".." {
+			return false
+		}
+	}
+
 	// Check the basic pattern
-	matched, _ := regexp.MatchString(`^[a-z0-9\.\-\_\/]+$`, name)
+	matched, _ := regexp.MatchString(`^[a-zA-Z0-9\.\-\_\/]+$`, name)

 	return matched
 }
@ -319,6 +326,13 @@ func (v *Vault) GetSecretVersion(name string, version string) ([]byte, error) {
 		slog.String("version", version),
 	)

+	// Validate secret name to prevent path traversal
+	if !isValidSecretName(name) {
+		secret.Debug("Invalid secret name provided", "secret_name", name)
+
+		return nil, fmt.Errorf("invalid secret name '%s': must match pattern [a-z0-9.\\-_/]+", name)
+	}
+
 	// Get vault directory
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
@ -454,6 +468,10 @@ func (v *Vault) UnlockVault() (*age.X25519Identity, error) {

 // GetSecretObject retrieves a Secret object with metadata loaded from this vault
 func (v *Vault) GetSecretObject(name string) (*secret.Secret, error) {
+	if !isValidSecretName(name) {
+		return nil, fmt.Errorf("invalid secret name: %s", name)
+	}
+
 	// First check if the secret exists by checking for the metadata file
 	vaultDir, err := v.GetDirectory()
 	if err != nil {
--- a/internal/vault/secrets_name_test.go
+++ b/internal/vault/secrets_name_test.go
@ -0,0 +1,42 @@
+package vault
+
+import "testing"
+
+func TestIsValidSecretNameUppercase(t *testing.T) {
+	tests := []struct {
+		name  string
+		valid bool
+	}{
+		// Lowercase (existing behavior)
+		{"valid-name", true},
+		{"valid.name", true},
+		{"valid_name", true},
+		{"valid/path/name", true},
+		{"123valid", true},
+
+		// Uppercase (new behavior - issue #2)
+		{"Valid-Upper-Name", true},
+		{"2025-11-21-ber1app1-vaultik-test-bucket-AKI", true},
+		{"MixedCase/Path/Name", true},
+		{"ALLUPPERCASE", true},
+		{"ABC123", true},
+
+		// Still invalid
+		{"", false},
+		{"invalid name", false},
+		{"invalid@name", false},
+		{".dotstart", false},
+		{"/leading-slash", false},
+		{"trailing-slash/", false},
+		{"double//slash", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := isValidSecretName(tt.name)
+			if result != tt.valid {
+				t.Errorf("isValidSecretName(%q) = %v, want %v", tt.name, result, tt.valid)
+			}
+		})
+	}
+}