PyPI - regscale-cli - Versions diffs - 6.20.8.0__py3-none-any.whl → 6.20.9.0__py3-none-any.whl - Mend - Supply Chain Defender

regscale-cli 6.20.8.0py3-none-any.whl → 6.20.9.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of regscale-cli might be problematic. Click here for more details.

Files changed (10) hide show

regscale/_version.py CHANGED Viewed

@@ -33,7 +33,7 @@ def get_version_from_pyproject() -> str:
                     return match.group(1)
     except Exception:
         pass
-    return "6.20.8.0"  # fallback version
+    return "6.20.9.0"  # fallback version
 __version__ = get_version_from_pyproject()

regscale/core/app/application.py CHANGED Viewed

@@ -399,10 +399,10 @@ class Application(metaclass=Singleton):
         if config is None:
             config = {}
         self.logger.debug(f"Provided config in _fetch_config_from_regscale is: {type(config)}")
-        token = config.get("token") or os.getenv("REGSCALE_TOKEN")
-        domain = config.get("domain") or os.getenv("REGSCALE_DOMAIN")
+        token = config.get("token", os.getenv("REGSCALE_TOKEN"))
+        domain = config.get("domain", os.getenv("REGSCALE_DOMAIN"))
         if domain is None or "http" not in domain or domain == self.template["domain"]:
-            domain = self.retrieve_domain()[:-1] if self.retrieve_domain().endswith("/") else self.retrieve_domain()
+            domain = self.retrieve_domain().rstrip("/")
         self.logger.debug(f"domain: {domain}, token: {token}")
         if domain is not None and token is not None:
             self.logger.info(f"Fetching config from {domain}...")
@@ -416,23 +416,87 @@ class Application(metaclass=Singleton):
                     },
                 )
                 self.logger.debug(f"status_code: {response.status_code} text: {response.text}")
-                res_data = response.json()
-                if config := res_data.get("cliConfig"):
-                    parsed_dict = yaml.safe_load(config)
-                    self.logger.debug(f"parsed_dict: {parsed_dict}")
-                    parsed_dict["token"] = token
-                    parsed_dict["domain"] = domain
-                    from regscale.core.app.internal.login import parse_user_id_from_jwt
-                    parsed_dict["userId"] = res_data.get("userId") or parse_user_id_from_jwt(self, token)
-                    self.logger.debug(f"Updated domain, token and userId: {parsed_dict}")
-                    self.logger.info("Successfully fetched config from RegScale.")
-                    # fill in any missing keys with the template
-                    return {**self.template, **parsed_dict}
+                # Get the encrypted config from the response
+                fetched_config = response.json()
+                if not fetched_config or response.text == "":
+                    self.logger.warning("No secrets found in %s", domain)
+                    return {}
+                # see if it's just a dictionary
+                if isinstance(fetched_config, dict):
+                    parsed_dict = fetched_config
+                else:
+                    decrypted_config = self._decrypt_config(fetched_config, token)
+                    parsed_dict = json.loads(decrypted_config)
+                parsed_dict["token"] = token
+                parsed_dict["domain"] = domain
+                from regscale.core.app.internal.login import parse_user_id_from_jwt
+                parsed_dict["userId"] = parsed_dict.get("userId") or parse_user_id_from_jwt(self, token)
+                self.logger.info("Successfully fetched config from RegScale.")
+                # fill in any missing keys with the template
+                return {**self.template, **parsed_dict}
             except Exception as ex:
-                self.logger.error("Unable to fetch config from RegScale.\n%s", ex)
+                self.logger.error("Unable to fetch config from RegScale.\n%s", str(ex))
         return {}
+    def _decrypt_config(self, encrypted_text: str, bearer_token: str) -> str:
+        """
+        Decrypt the configuration using AES encryption with the bearer token as key
+        :param str encrypted_text: Base64 encoded encrypted text
+        :param str bearer_token: Bearer token used as encryption key
+        :return: Decrypted configuration string
+        :rtype: str
+        """
+        import base64
+        import hashlib
+        from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+        from cryptography.hazmat.backends import default_backend
+        try:
+            # Convert from base64
+            combined = base64.b64decode(encrypted_text)
+            # Extract IV (first 16 bytes) and cipher text
+            iv = combined[:16]
+            cipher_text = combined[16:]
+            # Generate key from bearer token using SHA256
+            key = hashlib.sha256(bearer_token.encode()).digest()
+            # Create cipher
+            cipher = Cipher(algorithms.AES(key), modes.GCM(iv), backend=default_backend())
+            # Decrypt
+            decryptor = cipher.decryptor()
+            decrypted = decryptor.update(cipher_text) + decryptor.finalize()
+            # Remove padding and convert to string
+            decoded = decrypted.decode("utf-8")
+            # Remove all trailing whitespace and control characters
+            cleaned = decoded.rstrip()
+            # Also remove any trailing null bytes that might remain
+            while cleaned.endswith("\0"):
+                cleaned = cleaned[:-1]
+            # Use regex to remove any ending backslash-like pattern and characters after it
+            import re
+            # Remove any trailing backslash followed by any characters until the end
+            # This handles both literal backslashes and control characters like \x0e
+            cleaned = re.sub(r"\\[^\\]*$", "", cleaned)
+            # Also remove any trailing control characters that might remain
+            # Avoid regex for trailing control character removal to prevent potential catastrophic backtracking.
+            # Instead, use rstrip with a string of control characters.
+            cleaned = cleaned.rstrip(
+                "".join([chr(i) for i in range(0x00, 0x20)]) + "".join([chr(i) for i in range(0x7F, 0xA0)])
+            )
+            return cleaned
+        except Exception as err:
+            self.logger.error("Unable to decrypt config: %s", err)
+            return "{}"
     def _load_config_from_click_context(self) -> Optional[dict]:
         """
         Load configuration from Click context