mirror of
https://github.com/slackhq/nebula.git
synced 2026-05-15 20:37:36 +02:00
f8587956ba
* add sshd.sandbox_dir config option Sanitize SSH profile paths (ssh.go:514,683,719) — restrict os.Create(a[0]) to a safe directory. Add a config option in the config file to specify the sandbox directory. For backwards compatibility, if the config is not specified, keep the current behavior. * update default and example * use os.TempDir() for sshd.sandbox_dir default * split sandbox path validation into separate conditionals Separate the combined && check in sshSanitizeFilePath into two distinct conditionals with specific error messages: one for paths resolving to the sandbox directory itself, and one for paths outside the sandbox. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com> * fix: trim leading zeros from p256 signature swap result bigmod.Nat.Bytes() returns fixed-size 32-byte slices, but ASN.1 INTEGER parsing strips leading zeros. This caused a flaky test failure (~1/256 chance) when the S value's high byte was zero. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com> --------- Co-authored-by: Claude <svc-devxp-claude@slack-corp.com>
cert
This is a library for interacting with nebula style certificates and authorities.
There are now 2 versions of nebula certificates:
v1
This version is deprecated.
A protobuf definition of the certificate format is included at cert_v1.proto
To compile the definition you will need protoc installed.
To compile for go with the same version of protobuf specified in go.mod:
make proto
v2
This is the latest version which uses asn.1 DER encoding. It can support ipv4 and ipv6 and tolerate future certificate changes better than v1.
cert_v2.asn1 defines the wire format and can be used to compile marshalers.