From cf82d7e1a6323bac540a7e2995476b914fd4ce51 Mon Sep 17 00:00:00 2001
From: garciadeblas <gerardo.garciadeblas@telefonica.com>
Date: Tue, 17 Sep 2024 18:27:24 +0200
Subject: [PATCH] Securize ssh connection to DPB WIM using
 paramiko.RejectPolicy

Change-Id: I36c75bac955f9d576a451bd45212a5168ea5bfae
Signed-off-by: garciadeblas <gerardo.garciadeblas@telefonica.com>
---
 RO-SDN-dpb/osm_rosdn_dpb/wimconn_dpb.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/RO-SDN-dpb/osm_rosdn_dpb/wimconn_dpb.py b/RO-SDN-dpb/osm_rosdn_dpb/wimconn_dpb.py
index 075b1a84..f79ef998 100755
--- a/RO-SDN-dpb/osm_rosdn_dpb/wimconn_dpb.py
+++ b/RO-SDN-dpb/osm_rosdn_dpb/wimconn_dpb.py
@@ -108,7 +108,10 @@ class DpbSshInterface:
 
     def __create_client(self):
         ssh_client = paramiko.SSHClient()
-        ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+        # Load known host keys
+        ssh_client.load_system_host_keys()
+        # Reject unknown hosts
+        ssh_client.set_missing_host_key_policy(paramiko.RejectPolicy())
 
         return ssh_client
 
@@ -132,6 +135,11 @@ class DpbSshInterface:
                 look_for_keys=False,
                 compress=False,
             )
+            # TODO: sanitizing commands to be executed
+            # Whitelist of allowed commands
+            # valid_commands = ["command1", "command2", "command3"]
+            # if self.__network not in valid_commands:
+            #     raise SdnConnectorError("Invalid command executed", 400)
             stdin, stdout, stderr = self.__ssh_client.exec_command(
                 command=self.__network
             )
-- 
2.25.1