(CAT-1919) - Handle scenario when user input password in <anything-in-caps-with-alpha-numeric>*<alpha-numeric-40-chars-in-caps> #1634
Conversation
Ramesh7
requested review from
alexjfisher,
bastelfreak and
a team
as code owners
Ramesh7
force-pushed
the
CAT-1919-fixing-password-issue
branch
2 times, most recently
from
51a60dc to
476ec95
Compare
…-caps-with-alpha-numeric>*<alpha-numeric-40-chars-in-caps>
Ramesh7
force-pushed
the
CAT-1919-fixing-password-issue
branch
from
476ec95 to
c88d048
Compare
| @@ -22,7 +22,7 @@ | |||
| def password(password, sensitive = false) | |||
| password = password.unwrap if password.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive) | |||
|
|
|||
| result_string = if %r{\*[A-F0-9]{40}$}.match?(password) | |||
| result_string = if %r{^\*[A-F0-9]{40}$}.match?(password) | |||
There was a problem hiding this comment.
I just have a few minutes right now, but I'm wondering why we have this regex at all? Does it check if it's a hash and otherwise runs into the last else block and runs SHA1?
There was a problem hiding this comment.
I think the intention is if it's already a Hash, then don't hash it, but since the regex isn't anchored it can pick up other passwords. The other password looks incredibly unlikely in the real world though. But I guess @Ramesh7 bumped into this in their environment??
There was a problem hiding this comment.
@bastelfreak yeah, if its hash then it will return that otherwise it will hash it with SHA1.
@alexjfisher yeah, recently we encountered this and found there is flow in regex which needs to fix, so took it here.
Summary
When the password is passed in
<anything-in-caps-with-alpha-numeric>*<alpha-numeric-40-chars-in-caps>format with Sensitive then the current implementation fails with below error :This is because the
mysql::passworddoesn't handle mentioned condition properly.Checklist
puppet apply)