Ignore comments in ssh_config Include parsing #1199
Conversation
There was a problem hiding this comment.
Let's amend our test suite to cover for this case, see test/t/unit/test_unit_known_hosts.py
There was a problem hiding this comment.
- reworked the sed expression to remove trailing spaces
- test suite amended (hopefully I understood it well)
- commit message updated also
also I realized we may be in murky waters at this inline/trailing comment support has only been gradually added to sshd_config then ssh_config around SSH version 8.5 (sshd_config - https://bugzilla.mindrot.org/attachment.cgi?id=3460 and ssh_config https://bugzilla.mindrot.org/show_bug.cgi?id=2320)
So for example code
_comp_split hosts "$(command sed -ne 's/^[[:blank:]]*[Hh][Oo][Ss][Tt][[:blank:]=]\{1,\}\(.*\)$/\1/p' "${config[@]}")"; then
in block https://github.com/scop/bash-completion/blob/main/bash_completion#L2646-L2652 may need changes also to handle those inline comments
remil1000
force-pushed
the
main
branch
2 times, most recently
from
57561fb
to
663255d
Compare
| @@ -127,6 +126,8 @@ def test_included_configs(self, bash, hosts): | |||
| expected.extend("asterisk_1 asterisk_2".split()) | |||
| # fixtures/_known_hosts/.ssh/config_question_mark | |||
| expected.append("question_mark") | |||
| # fixtures/_known_hosts/.ssh/config_comment | |||
| expected.append("with_comment") | |||
There was a problem hiding this comment.
The test seems to require the hostname found by the Include directive with inline comments, but the test doesn't seem to require that the words in the comment are excluded.
There was a problem hiding this comment.
the original fix is to discard inline comments after an Include directive
if the included file would contain Host with_comment # to be ignored then this patch would also require to update the Host directive parsing sed expression (which I already tried) only to find out it breaks https://github.com/scop/bash-completion/blob/main/test/fixtures/_known_hosts/config#L9 Host = hus%%eth0 !negated #not-a-comment as until now fixtures considered inline comments as actual content to be parsed
This is precisely why I only patched the Include parsing expression and mentioned this future Host issue, because tests would fail one after the other
There was a problem hiding this comment.
I think the fixture for Host should also be updated.
Edit: The original fix for sshd_config seems to be 20 years old: openbsd/src@5541d00, and then for ssh_config, openbsd/src@dd1a025. This is an explicit change in the upstream parsing, so we can update the fixture to match the upstream.
By the way, I started this "conversation" (in the GitHub term) to discuss what should be tested. You've modified the test, but it doesn't seem to test the expectation by the original fix for Include. Could you test that a word that matches a filename in the comment is excluded? You can add another file in the fixture and put a hostname that should not be collected there. Then, you can include the filename in the inline comment on a Include line.
| @@ -2447,7 +2447,8 @@ _comp__included_ssh_config_files() | |||
| # https://github.com/openssh/openssh-portable/blob/5ec5504f1d328d5bfa64280cd617c3efec4f78f3/readconf.c#L2240 | |||
| local max_depth=16 | |||
| while ((${#included[@]} > 0 && depth++ < max_depth)); do | |||
| _comp_split include_files "$(command sed -ne 's/^[[:blank:]]*[Ii][Nn][Cc][Ll][Uu][Dd][Ee][[:blank:]]\(.*\)$/\1/p' "${included[@]}")" || return | |||
| _comp_split include_files "$(command sed -n -e 's/[[:blank:]]*#.*//' -e 's/^[[:blank:]]*[Ii][Nn][Cc][Ll][Uu][Dd][Ee][[:blank:]]*\(..*\)/\1/p' "${included[@]}")" || return | |||
There was a problem hiding this comment.
Should we remove the trailing/preceding whitespaces? Those are stripped by _comp_split anyway. Then, the sed expression can be simplified:
| _comp_split include_files "$(command sed -n -e 's/[[:blank:]]*#.*//' -e 's/^[[:blank:]]*[Ii][Nn][Cc][Ll][Uu][Dd][Ee][[:blank:]]*\(..*\)/\1/p' "${included[@]}")" || return | |
| _comp_split include_files "$(command sed -ne 's/^[[:blank:]]*[Ii][Nn][Cc][Ll][Uu][Dd][Ee][[:blank:]]*\([^#]*\).*$/\1/p' "${included[@]}")" || return |
There was a problem hiding this comment.
this is mainly because I discovered OpenSSH maintainers, in their parser, are actually proceeding like this, simply stopping processing as soon as they hit a # sign and trimming
/* Remove comment and trailing whitespace */
if ((cp = strchr(orig, '#')) != NULL)
*cp = '\0';
rtrim(orig);
https://github.com/openbsd/src/blob/master/usr.bin/ssh/readconf.c#L3229-L3232
I can revert to your proposition, which, incidentally is very similar to my first proposal in the PR
There was a problem hiding this comment.
Does the result change with this implementation detail?
I agree. We want to apply the changes consistently for similar cases. |
When parsing Include directive in ssh_config files, comments on the same line as the directive are considered as files to be recursively processed. Best case the recursive
max_depth=16terminates this early, but on old versions it may lead to random reads or an infinite recursion, hanging the shell processExample before/after:
A minimal ssh client config file
The current sed expression
Proposed change to sed expression (ignore anything coming after a
#)