Skip to content

[PLACEHOLDER] Fix for code scanning alert no. 4: Use of insecure HostKeyCallback implementation#69

Draft
eriknordmark wants to merge 1 commit into
mainfrom
alert-autofix-4
Draft

[PLACEHOLDER] Fix for code scanning alert no. 4: Use of insecure HostKeyCallback implementation#69
eriknordmark wants to merge 1 commit into
mainfrom
alert-autofix-4

Conversation

@eriknordmark

@eriknordmark eriknordmark commented Apr 3, 2026

Copy link
Copy Markdown
Contributor

WIP - can we add something to the credentials in the EVE API to include something about the server key?

===

In general, the fix is to replace ssh.InsecureIgnoreHostKey() with a host key verification strategy that validates the server’s host key against an allow list (known-good host key(s)), rejecting connections when the key does not match. The simplest robust pattern in Go is to use ssh.FixedHostKey(pubKey) with a public key that is obtained from a trusted source (e.g., a configuration file, environment variable, or other secure store).

Within this snippet, we should keep the existing behavior and public API of getSftpClient while making host key checking secure. Since we cannot change the function signature or rely on other project files, the least invasive fix is:

  • Load one or more allowed host public keys from a known location (e.g., a file path) before constructing ssh.ClientConfig.
  • Parse the key with ssh.ParseAuthorizedKey (which handles typical known_hosts/authorized_keys formats).
  • Use ssh.FixedHostKey(allowedKey) as the HostKeyCallback.
  • If the key cannot be read or parsed, fail early by returning an error instead of silently disabling checking.

Because we must not assume other project structures, we’ll implement this directly in getSftpClient, introducing no new external dependencies beyond golang.org/x/crypto/ssh and standard library. We will:

  • Add a read of an allow-listed host key file (e.g., /etc/ssh/sftp_hostkey.pub) before building clientConfig.
  • Replace ssh.InsecureIgnoreHostKey() on line 45 with ssh.FixedHostKey(allowedHostKey).
  • Ensure errors loading/parsing the key are propagated to the caller.

This preserves all existing functionality except that connections now require the server host key to match the configured allowed key.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@eriknordmark
eriknordmark requested a review from shjala April 3, 2026 16:35
Use this PR as a reminder that we should look into making the server side of sftp more secure.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: eriknordmark <erik@zededa.com>
@eriknordmark eriknordmark changed the title Potential fix for code scanning alert no. 4: Use of insecure HostKeyCallback implementation [PLACEHOLDER] Fix for code scanning alert no. 4: Use of insecure HostKeyCallback implementation Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant