From 07ff397ee505683fac9601790bc90ca52f3fef24 Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Tue, 17 Feb 2026 09:54:09 -0800
Subject: [PATCH] security: add SSH key path validation to aws/lib/common.sh
 (#1414)

Add validation in ensure_ssh_key() to prevent path traversal and
arbitrary file upload attacks:
- Validate public key file exists and is a regular file
- Reject symlinks to prevent reading sensitive system files
- Enforce 10KB size limit (SSH pubkeys are ~100-600 bytes)

Fixes #1407

Agent: complexity-hunter

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 aws/lib/common.sh | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/aws/lib/common.sh b/aws/lib/common.sh
index d8eae006..2527c6ab 100644
--- a/aws/lib/common.sh
+++ b/aws/lib/common.sh
@@ -61,6 +61,24 @@ ensure_ssh_key() {
     # Generate key if needed
     generate_ssh_key_if_missing "${key_path}"
 
+    # Validate SSH public key path before upload
+    if [[ ! -f "${pub_path}" ]]; then
+        log_error "SSH public key not found: ${pub_path}"
+        return 1
+    fi
+    if [[ -L "${pub_path}" ]]; then
+        log_error "SSH public key cannot be a symlink: ${pub_path}"
+        return 1
+    fi
+    # SSH public keys are typically 100-600 bytes (ed25519/RSA)
+    # Reject suspiciously large files to prevent arbitrary file upload
+    local size
+    size=$(wc -c <"${pub_path}")
+    if [[ ${size} -gt 10000 ]]; then
+        log_error "SSH public key file too large: ${size} bytes (max 10000)"
+        return 1
+    fi
+
     local key_name="spawn-key"
 
     # Check if already registered