Add check to avoid that UnencryptedCommentRegex matches encrypted comments.

Signed-off-by: Felix Fontein <felix@fontein.de>
2026-02-05 12:45:21 +01:00 · 2023-12-27 18:23:27 +01:00
parent f63e844206
commit f6ece99630
2 changed files with 46 additions and 0 deletions
--- a/sops.go
+++ b/sops.go
@@ -498,6 +498,14 @@ func (tree Tree) Encrypt(key []byte, cipher Cipher) (string, error) {
 				if err != nil {
 					return nil, fmt.Errorf("Could not encrypt value: %s", err)
 				}
+				if ok && tree.Metadata.UnencryptedCommentRegex != "" {
+					// If an encrypted comment matches tree.Metadata.UnencryptedCommentRegex, decryption will fail
+					// as the MAC does not match, and the commented value will not be decrypted.
+					matched, _ := regexp.Match(tree.Metadata.UnencryptedCommentRegex, []byte(in.(string)))
+					if matched {
+						return nil, fmt.Errorf("Encrypted comment %q matches UnencryptedCommentRegex! Make sure that UnencryptedCommentRegex cannot match an encrypted comment.", in)
+					}
+				}
 			}
 			return in, nil
 		})
--- a/sops_test.go
+++ b/sops_test.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"fmt"
 	"reflect"
+	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -38,6 +39,23 @@ func (c reverseCipher) Decrypt(value string, key []byte, path string) (plaintext
 	return reverse(value), nil
 }

+type encPrefixCipher struct{}
+
+func (c encPrefixCipher) Encrypt(value interface{}, key []byte, path string) (string, error) {
+	b, err := ToBytes(value)
+	if err != nil {
+		return "", err
+	}
+	return "ENC:" + string(b), nil
+}
+func (c encPrefixCipher) Decrypt(value string, key []byte, path string) (plaintext interface{}, err error) {
+	v, ok := strings.CutPrefix(value, "ENC:")
+	if !ok {
+		return nil, fmt.Errorf("String not prefixed with 'ENC:'")
+	}
+	return v, nil
+}
+
 func TestUnencryptedSuffix(t *testing.T) {
 	branches := TreeBranches{
 		TreeBranch{
@@ -599,6 +617,26 @@ func TestUnencryptedCommentRegex(t *testing.T) {
 	}
 }

+func TestUnencryptedCommentRegexFail(t *testing.T) {
+	branches := TreeBranches{
+		TreeBranch{
+			TreeItem{
+				Key:   Comment{"sops:noenc"},
+				Value: nil,
+			},
+			TreeItem{
+				Key:   "foo",
+				Value: "bar",
+			},
+		},
+	}
+	tree := Tree{Branches: branches, Metadata: Metadata{UnencryptedCommentRegex: "ENC"}}
+	cipher := encPrefixCipher{}
+	_, err := tree.Encrypt(bytes.Repeat([]byte("f"), 32), cipher)
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "Encrypted comment \"ENC:sops:noenc\" matches UnencryptedCommentRegex!")
+}
+
 type MockCipher struct{}

 func (m MockCipher) Encrypt(value interface{}, key []byte, path string) (string, error) {