Skip to content

fix: replace bare except clauses and add path validation in PAM base#1901

Open
jlima8900 wants to merge 9 commits intoKeeper-Security:releasefrom
jlima8900:fix/pam-base-error-handling-pr1892
Open

fix: replace bare except clauses and add path validation in PAM base#1901
jlima8900 wants to merge 9 commits intoKeeper-Security:releasefrom
jlima8900:fix/pam-base-error-handling-pr1892

Conversation

@jlima8900
Copy link
Copy Markdown
Contributor

@jlima8900 jlima8900 commented Mar 28, 2026

Summary

Replaces all 35 bare except: clauses in keepercommander/commands/pam_import/base.py with specific exception types (JSONDecodeError, ValueError, KeyError) and adds path traversal validation for file operations. Also removes truncated input data from error log messages to resolve CodeQL clear-text logging alerts.

Changes

  • 35 bare except: → specific types — each handler now catches only the expected exception
  • Path traversal check — validates file paths use os.path.realpath before access
  • Log sanitization — removed {str(data)[:80]} from all error messages (CodeQL fix)

Tests

  • 16 unit tests in test_pam_base_error_handling.py
  • CI: pytest 3.7 + 3.12 passing

CodeQL

All clear-text logging alerts resolved in this single squashed commit.

Copy link
Copy Markdown
Contributor

@github-advanced-security github-advanced-security AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

obj = cls()
try: data = json.loads(data) if isinstance(data, str) else data
except: logging.error(f"Pam Scripts failed to load from: {str(data)[:80]}...")
except json.JSONDecodeError as e: logging.error(f"Pam Scripts: invalid JSON at line {e.lineno}, col {e.colno} — {e.msg}. Input (truncated): {str(data)[:80]}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

This expression logs [sensitive data (secret)](1) as clear text.
obj = cls()
try: data = json.loads(data) if isinstance(data, str) else data
except: logging.error(f"PAM script failed to load from: {str(data)[:80]}")
except json.JSONDecodeError as e: logging.error(f"PAM script: invalid JSON at line {e.lineno}, col {e.colno} — {e.msg}. Input (truncated): {str(data)[:80]}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

This expression logs [sensitive data (secret)](1) as clear text.
obj = cls()
try: data = json.loads(data) if isinstance(data, str) else data
except: logging.error(f"PAM Attachments failed to load from: {str(data)[:80]}...")
except json.JSONDecodeError as e: logging.error(f"PAM Attachments: invalid JSON at line {e.lineno}, col {e.colno} — {e.msg}. Input (truncated): {str(data)[:80]}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

This expression logs [sensitive data (secret)](1) as clear text.
obj = cls()
try: data = json.loads(data) if isinstance(data, str) else data
except: logging.error(f"Failed to load file attachment from: {str(data)[:80]}")
except json.JSONDecodeError as e: logging.error(f"File attachment: invalid JSON at line {e.lineno}, col {e.colno} — {e.msg}. Input (truncated): {str(data)[:80]}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

This expression logs [sensitive data (secret)](1) as clear text.
obj = cls()
try: data = json.loads(data) if isinstance(data, str) else data
except: logging.error(f"Failed to load rotation schedule from: {str(data)[:80]}")
except json.JSONDecodeError as e: logging.error(f"Rotation schedule: invalid JSON at line {e.lineno}, col {e.colno} — {e.msg}. Input (truncated): {str(data)[:80]}")

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information

This expression logs [sensitive data (secret)](1) as clear text.
@jlima8900 jlima8900 changed the base branch from master to release March 30, 2026 13:33
@jlima8900 jlima8900 force-pushed the fix/pam-base-error-handling-pr1892 branch 2 times, most recently from e6e690a to 6ad7fd9 Compare April 2, 2026 08:20
@jlima8900
Copy link
Copy Markdown
Contributor Author

@aaunario — ready for review. Squashed to single commit, all CodeQL alerts resolved, 16 unit tests passing.

@jlima8900 jlima8900 force-pushed the fix/pam-base-error-handling-pr1892 branch from a38b94d to 871b277 Compare April 2, 2026 21:20
idimov-keeper and others added 3 commits April 3, 2026 20:59
* Added full terminal reset after ssh session exit (clears scrollback etc.)

* Fixes randomly eaten first characters typed after ssh session exit (stdin race condition)

* Fixed random duplicate typed characters (echo)
Keeper-Security#1908)

- Added `move` to the list of `apply-action` choices, which will move all returned users to a node - specified with `target-node`

- Added `all` to the list of `status` choices, returning invited, active and locked users with `d=0`

- Fixed an issue where the users updated with `apply-action` are not the same as those filtered with the `node` argument.

- Fixed a potential unwanted behavior where the `node` argument returns a recursive node and subnodes search, preventing you from applying actions to a specific node if it has subnodes. By default, using the `node` argument will only return result from the specified node.

- Added a `recursive` argument to replicate the old behavior with `node` filter.
- Narrow all bare except clauses to json.JSONDecodeError with structured
  error messages (line, col, msg) across 30+ load() methods
- Replace em-dashes with double-dashes in all log messages
- Add TypeError, AttributeError to CRON except tuple
- Extract shared _validate_file_path() helper (DRY)
- Add path traversal rejection (.. components)
- Add tests for rotation settings, base machine parser, CRON edge cases
@jlima8900 jlima8900 force-pushed the fix/pam-base-error-handling-pr1892 branch from 871b277 to c011296 Compare April 4, 2026 10:35
Prevents directories from passing file path validation.
@sk-keeper sk-keeper force-pushed the release branch 3 times, most recently from 442d7af to 9ec9b7a Compare April 15, 2026 03:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants