reject passwords with single or double quotes or backslashes

2025-12-06 09:12:45 +01:00 · 2020-09-28 11:51:19 -04:00
parent 3ba8f47d9c
commit 85e53c53af
5 changed files with 28 additions and 1 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -45,3 +45,9 @@ check_container() {
 	docker ps | grep "$1:" > /dev/null 2>&1
 	return $?
 }
+
+check_password() {
+    local password=$1
+    echo "$password" | egrep -v "'|\"|\\\\" > /dev/null 2>&1
+    return $?
+}
--- a/salt/common/tools/sbin/so-fleet-user-add
+++ b/salt/common/tools/sbin/so-fleet-user-add
@@ -41,6 +41,11 @@ if [[ $? == 0 ]]; then
 fi
 read -rs FLEET_PASS

+if ! check_password "$FLEET_PASS"; then
+  echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
+  exit 2
+fi
+
 FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
 if [[ $? -ne 0 ]]; then
 	echo "Failed to generate Fleet password hash."
--- a/salt/common/tools/sbin/so-thehive-user-add
+++ b/salt/common/tools/sbin/so-thehive-user-add
@@ -41,6 +41,11 @@ if [[ $? == 0 ]]; then
 fi
 read -rs THEHIVE_PASS

+if ! check_password "$THEHIVE_PASS"; then
+  echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
+  exit 2
+fi
+
 # Create new user in TheHive
 resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}")
 if [[ "$resp" =~ \"status\":\"Ok\" ]]; then
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -371,7 +371,11 @@ collect_webuser_inputs() {

 	WPMATCH=no
 	while [[ $WPMATCH != yes ]]; do
-		whiptail_create_web_user_password1
+	    whiptail_create_web_user_password1
+	    while ! check_password "$WEBPASSWD1"; do
+			whiptail_invalid_pass_characters_warning
+			whiptail_create_web_user_password1
+		done
 		if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then
 			whiptail_create_web_user_password2
 			check_web_pass
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -381,6 +381,13 @@ whiptail_invalid_pass_warning() {
 	whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75
 }

+whiptail_invalid_pass_characters_warning() {
+
+	[ -n "$TESTING" ] && return
+
+	whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75
+}
+
 whiptail_cur_close_days() {

 	[ -n "$TESTING" ] && return