Tracking pull request to merge release-1.32.0 to main #796
Conversation
|
* sftp automation * some fixes and changes
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| pkey_file = get_minio_object(settings.SSH_PKEY_FILENAME) | ||
| pkey = paramiko.RSAKey.from_private_key(io.StringIO(pkey_file.data.decode("utf-8"))) | ||
| client = paramiko.SSHClient() | ||
| client.set_missing_host_key_policy(paramiko.AutoAddPolicy) |
Check failure
Code scanning / CodeQL
Accepting unknown SSH host keys when using Paramiko High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this issue, you should change the missing host key policy in the get_ssh_client() function from paramiko.AutoAddPolicy to paramiko.RejectPolicy. The RejectPolicy will refuse connection if the host key is not present in the known hosts file, ensuring host authenticity and protecting against man-in-the-middle exploits. This fix should be implemented by changing line 157 in django/api/services/cra.py so that it reads client.set_missing_host_key_policy(paramiko.RejectPolicy).
If this change causes exceptions upon connecting to new servers, you'll need to ensure that host keys are preloaded into the system's known hosts (or manually added via Paramiko's load_system_host_keys or load_host_keys methods). However, based solely on the code provided, only the policy line needs to be updated.
| @@ -154,7 +154,7 @@ | ||
| pkey_file = get_minio_object(settings.SSH_PKEY_FILENAME) | ||
| pkey = paramiko.RSAKey.from_private_key(io.StringIO(pkey_file.data.decode("utf-8"))) | ||
| client = paramiko.SSHClient() | ||
| client.set_missing_host_key_policy(paramiko.AutoAddPolicy) | ||
| client.set_missing_host_key_policy(paramiko.RejectPolicy) | ||
| client.connect( | ||
| settings.CRA_SFTP_HOST, | ||
| port=int(settings.CRA_SFTP_PORT), |
2 participants
No description provided.