Sanitize hostname used for AWS STS role session name (getsops#558)

* Sanitize hostname used for AWS STS role session name From official docs for --role-session-name (https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html): > The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@- This fixes getsops#441, which occurs when the hostname includes spaces and parentheses * pr notes: wrap STS role session name regex compilation error
max-sixty · Nov 1, 2019 · 6e283a8 · 6e283a8
1 parent d98bff6
commit 6e283a8
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/kms/keysource.go b/kms/keysource.go
@@ -165,8 +165,13 @@ func (key MasterKey) createStsSession(config aws.Config, sess *session.Session)
  if err != nil {
  return nil, err
  }
+ stsRoleSessionNameRe, err := regexp.Compile("[^a-zA-Z0-9=,.@-]+")
+ if err != nil {
+ return nil, fmt.Errorf("Failed to compile STS role session name regex: %v", err)
+ }
+ sanitizedHostname := stsRoleSessionNameRe.ReplaceAllString(hostname, "")
  stsService := sts.New(sess)
- name := "sops@" + hostname
+ name := "sops@" + sanitizedHostname
  out, err := stsService.AssumeRole(&sts.AssumeRoleInput{
  RoleArn: &key.Role, RoleSessionName: &name})
  if err != nil {