Fix SonarCloud critical vulnerabilities and bugs#3260
Open
eran132 wants to merge 2 commits intomRemoteNG:v1.78.2-devfrom
Open
Fix SonarCloud critical vulnerabilities and bugs#3260eran132 wants to merge 2 commits intomRemoteNG:v1.78.2-devfrom
eran132 wants to merge 2 commits intomRemoteNG:v1.78.2-devfrom
Conversation
Security fixes (4 CRITICAL vulnerabilities): - PuttyBase.cs: Replace insecure Path.GetTempFileName() with Path.Combine(GetTempPath(), GetRandomFileName()) (S5445, 2 instances) - PasswordstateInterface.cs: Specify 2048-bit key size for RSACryptoServiceProvider (S4426) - SecretServerInterface.cs: Specify 2048-bit key size for RSACryptoServiceProvider (S4426) CI fix (1 MAJOR vulnerability): - Build_mR-NB.yml: Move write permission from workflow level to job level (S8233) Bug fixes (2 CRITICAL bugs): - ToolTipControl.cs: HasBorder setter now assigns backing field hasBorder after updating window style (S4275) - ToolTipControl.cs: Font getter returns backing field instead of re-reading from native handle, ensuring consistency (S4275) These fixes address all CRITICAL/BLOCKER issues on the v1.78.2-dev branch, improving reliability rating from D to A and security rating from D to A. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Review Summary by QodoFix SonarCloud critical vulnerabilities and bugs
WalkthroughsDescription• Fix 4 CRITICAL security vulnerabilities in RSA key generation and temp file handling • Fix 2 CRITICAL bugs in ToolTipControl property accessors • Improve CI/CD workflow security by applying least-privilege principle Diagramflowchart LR
A["Security Issues<br/>RSA & Temp Files"] -->|Fix key size| B["PasswordstateInterface<br/>SecretServerInterface"]
A -->|Replace insecure API| C["PuttyBase"]
D["Bug Issues<br/>ToolTipControl"] -->|Fix setter| E["HasBorder property"]
D -->|Fix getter| F["Font property"]
G["CI Vulnerability<br/>Permissions"] -->|Move to job level| H["Build_mR-NB.yml"]
B --> I["Improved Security Rating"]
C --> I
E --> J["Improved Reliability Rating"]
F --> J
H --> K["Least-Privilege Access"]
File Changes1. ExternalConnectors/CPS/PasswordstateInterface.cs
|
Code Review by Qodo
|
|
Comment on lines
+124
to
126
| optionalTemporaryPrivateKeyPath = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName()); | ||
| File.WriteAllText(optionalTemporaryPrivateKeyPath, privatekey); | ||
| FileInfo fileInfo = new(optionalTemporaryPrivateKeyPath) |
There was a problem hiding this comment.
1. Non-atomic temp key file 🐞 Bug ⛨ Security
PuttyBase.Connect() now generates a temp private-key path via GetRandomFileName() and then writes it with File.WriteAllText(), which is non-atomic and can overwrite/delete an existing file if the name already exists or is pre-created. This can clobber unrelated files and weakens the safety of handling sensitive private-key material.
Agent Prompt
### Issue description
`PuttyBase.Connect()` creates a temporary private-key file by generating a random name (`Path.GetRandomFileName()`) and then writing with `File.WriteAllText()`. This is not an exclusive/atomic create and can overwrite an existing file (collision or pre-creation), and the `finally` block then deletes whatever exists at that path.
### Issue Context
This temp file contains SSH private key material and is passed to PuTTY via `-i`, so we still need a real filesystem path. The key requirement is to create the file *atomically* (no overwrite) and only delete the file that we created.
### Fix Focus Areas
- mRemoteNG/Connection/Protocol/PuttyBase.cs[116-151]
- mRemoteNG/Connection/Protocol/PuttyBase.cs[399-407]
### Suggested fix approach
- Replace `Path.Combine(Path.GetTempPath(), Path.GetRandomFileName())` + `File.WriteAllText(...)` with an atomic create:
- Generate a candidate path (optionally add `.ppk` extension for clarity).
- Open with `new FileStream(path, FileMode.CreateNew, FileAccess.Write, FileShare.None)` and write the content via `StreamWriter`.
- Retry on `IOException` for name collisions.
- Track a boolean like `tempKeyFileCreated` and only delete the file in `finally` if creation succeeded.
- (Optional hardening) Apply restrictive ACLs on Windows so only the current user can read the temp key file.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Contributor
There was a problem hiding this comment.
Pull request overview
Addresses SonarCloud-reported critical security and reliability findings in mRemoteNG by hardening temp file creation, updating cryptography defaults, tightening GitHub Actions permissions, and fixing tooltip control state bugs.
Changes:
- Replace insecure temporary file creation for extracted PuTTY private keys.
- Enforce stronger RSA settings in external connector key-import helpers.
- Scope GitHub Actions
contents: writepermission down from workflow-level to job-level; fix tooltip border/font property behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| ObjectListView/SubControls/ToolTipControl.cs | Fixes tooltip HasBorder backing field update and makes Font getter return the cached font. |
| mRemoteNG/Connection/Protocol/PuttyBase.cs | Changes how temporary private key files are named/created before launching PuTTY. |
| ExternalConnectors/DSS/SecretServerInterface.cs | Updates RSA provider construction in PEM import helper. |
| ExternalConnectors/CPS/PasswordstateInterface.cs | Updates RSA provider construction in PEM import helper. |
| .github/workflows/Build_mR-NB.yml | Moves contents: write permission from workflow to job scope. |
Comment on lines
+124
to
126
| optionalTemporaryPrivateKeyPath = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName()); | ||
| File.WriteAllText(optionalTemporaryPrivateKeyPath, privatekey); | ||
| FileInfo fileInfo = new(optionalTemporaryPrivateKeyPath) |
There was a problem hiding this comment.
The temp key file is now created via Path.Combine(Path.GetTempPath(), Path.GetRandomFileName()) but then written with File.WriteAllText(...), which will overwrite an existing file if it already exists. That reintroduces a TOCTOU/symlink/hardlink risk and doesn’t guarantee exclusive creation. Prefer creating the file with FileMode.CreateNew (retrying on collision) and writing to the opened stream, so the temp file is created atomically and cannot be pre-created/replaced by another process.
Comment on lines
+242
to
243
| RSACryptoServiceProvider rsa = new(2048); | ||
| rsa.ImportParameters(rsaParams); |
There was a problem hiding this comment.
new RSACryptoServiceProvider(2048) generates a new 2048-bit keypair before you immediately import the provided PEM parameters. Besides unnecessary work, it may fail if the imported key is a different size (e.g., 4096-bit). Since this method is importing an existing key, consider constructing the provider without forcing a generated key size and instead validate after import that KeySize >= 2048 (rejecting weaker keys explicitly).
Suggested change
| RSACryptoServiceProvider rsa = new(2048); | |
| rsa.ImportParameters(rsaParams); | |
| RSACryptoServiceProvider rsa = new(); | |
| rsa.ImportParameters(rsaParams); | |
| if (rsa.KeySize < 2048) | |
| { | |
| rsa.Dispose(); | |
| throw new CryptographicException("RSA private key size must be at least 2048 bits."); | |
| } |
Comment on lines
14
to
18
| jobs: | ||
| NB-Build-and-Release: | ||
| permissions: | ||
| contents: write | ||
| strategy: |
There was a problem hiding this comment.
Workflow-level contents: write was removed and only the NB-Build-and-Release job now has it. However, Create-Combined-Release uses softprops/action-gh-release to create a tag/release and upload assets, which also requires contents: write. Add permissions: { contents: write } to Create-Combined-Release (or move the permission to just the jobs that need it) to avoid release failures.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix all CRITICAL vulnerabilities and bugs flagged by SonarCloud on the
v1.78.2-devbranch. These issues affect the project's security and reliability ratings (currently both D).Changes
4 CRITICAL Security Vulnerabilities fixed:
PuttyBase.cs: ReplacePath.GetTempFileName()withPath.Combine(GetTempPath(), GetRandomFileName())— insecure temp file creation (S5445, 2 instances)PasswordstateInterface.cs: Specify 2048-bit key size forRSACryptoServiceProvider— default key size too small (S4426)SecretServerInterface.cs: Same RSA key size fix (S4426)1 MAJOR CI Vulnerability fixed:
Build_mR-NB.yml: Movecontents: writepermission from workflow level to job level — follows least-privilege principle (S8233)2 CRITICAL Bugs fixed:
ToolTipControl.cs:HasBordersetter now assignshasBorderbacking field after updating window style (S4275)ToolTipControl.cs:Fontgetter returns backing field instead of re-reading from native handle (S4275)Impact
These fixes should improve the branch quality gate from ERROR → OK:
Test plan
🤖 Generated with Claude Code