starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

Secret encryption fails with 128+ characters under Python 2 #2037

New Issue
Closed
opened 2025-12-29 17:21:40 +01:00 by adam · 1 comment
adam commented 2025-12-29 17:21:40 +01:00
Owner
Copy Link

Originally created by @alpinemiaou on GitHub (Oct 1, 2018).

I can't succeed to store ssh keypair within netbox secrets resource.
I can import the content successfully but I can't retrieve it.
When I try to read/unlock the content, I receive a 500 error code with the following exception:

<pre><strong>&lt;class &#39;UnicodeDecodeError&#39;&gt;</strong><br />
&#39;utf-8&#39; codec can&#39;t decode byte 0xac in position 0: invalid start byte</pre>

Environment

Prerequisites

Steps to Reproduce

generate a ssh keypair

  • write a private key "ssh_host_ecdsa_key" with the following content:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRQ6X4h21yAfyfRqXbOgHd6pHe/p0Vh
YyM0/547xNy2bM/mSDLTEtW2Xg9eoK6wz7xFT3Y906SAB2gTFLHQquIPAAAAqGiEqL5ohK
i+AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDpfiHbXIB/J9Gp
ds6Ad3qkd7+nRWFjIzT/njvE3LZsz+ZIMtMS1bZeD16grrDPvEVPdj3TpIAHaBMUsdCq4g
8AAAAgVbomnr+wervZTRBuK/GcsRs2DXHo0SaiGxG2r6VaUUgAAAAJcm9vdEB0ZXN0AQID
BAUGBw==
-----END OPENSSH PRIVATE KEY-----
  • write a public key "ssh_host_ecdsa_key.pub" with the following content:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDpfiHbXIB/J9Gpds6Ad3qkd7+nRWFjIzT/njvE3LZsz+ZIMtMS1bZeD16grrDPvEVPdj3TpIAHaBMUsdCq4g8= root@test

import content (using web UI)

Assuming the following:

  • your device name is "test"
  • your secret-role name is "ssh_host_ecdsa"
for the private key, copy/paste the following:
device,role,name,plaintext
test,ssh_host_ecdsa,private,"-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRQ6X4h21yAfyfRqXbOgHd6pHe/p0Vh
YyM0/547xNy2bM/mSDLTEtW2Xg9eoK6wz7xFT3Y906SAB2gTFLHQquIPAAAAqGiEqL5ohK
i+AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDpfiHbXIB/J9Gp
ds6Ad3qkd7+nRWFjIzT/njvE3LZsz+ZIMtMS1bZeD16grrDPvEVPdj3TpIAHaBMUsdCq4g
8AAAAgVbomnr+wervZTRBuK/GcsRs2DXHo0SaiGxG2r6VaUUgAAAAJcm9vdEB0ZXN0AQID
BAUGBw==
-----END OPENSSH PRIVATE KEY-----"
for the public key, copy/paste the following:
device,role,name,plaintext
test,ssh_host_ecdsa,public,ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDpfiHbXIB/J9Gpds6Ad3qkd7+nRWFjIzT/njvE3LZsz+ZIMtMS1bZeD16grrDPvEVPdj3TpIAHaBMUsdCq4g8= root@test

Expected Behavior

  • we should be able to "unlock" (when using web UI) both public and private secret data.

Observed Behavior

  • Unlocking private key secret data works and display content
  • Unlocking public key secret data pops up a window with the following content:
<!DOCTYPE html>
<html lang="en">

<head>
    <title>Server Error</title>
    <link rel="stylesheet" href="/static/bootstrap-3.3.7-dist/css/bootstrap.min.css">
    <link rel="stylesheet" href="/static/font-awesome-4.7.0/css/font-awesome.min.css">
    <meta charset="UTF-8">
</head>

<body>
    <div class="container-fluid">
        <div class="row">
            <div class="col-md-6 col-md-offset-3">
                <div class="panel panel-danger" style="margin-top: 200px">
                    <div class="panel-heading">
                        <strong>
                            <i class="fa fa-warning"></i>
                            Server Error
                        </strong>
                    </div>
                    <div class="panel-body">
                        
                            <p>
                                There was a problem with your request. Please contact an administrator.
                            </p>
                        
                        <hr />
                        <p>
                            The complete exception is provided below:
                        </p>
<pre><strong>&lt;class &#39;UnicodeDecodeError&#39;&gt;</strong><br />
&#39;utf-8&#39; codec can&#39;t decode byte 0xac in position 0: invalid start byte</pre>
                        <p>
                            If further assistance is required, please post to the <a href="https://groups.google.com/forum/#!forum/netbox-discuss">NetBox mailing list</a>.
                        </p>
                        <div class="text-right">
                            <a href="/" class="btn btn-primary">Home Page</a>
                        </div>
                    </div>
                </div>
            </div>
        </div>
    </div>
</body>

</html>

On server side, nginx logs return the following HTTP error code:

netbox_1    | 172.18.0.1 - - [01/Oct/2018:13:49:49 +0000] "GET /api/secrets/secrets/78/ HTTP/1.0" 500 1798 "http://10.5.2.254:32769/secrets/secrets/78/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0"

Additional comments

  • import is always successful. Unlock/read secret content genrerates the error mentionned above
  • The problem is random and not specific to the tested and mentionned content sample below
  • problem is reproducible either using web UI or via CLI/API
  • problem still persists even if you intend to encode data (using either b64encode/urllib.quote)
  • no matter what key type is, problem occurs (rsa,dsa,...)
Originally created by @alpinemiaou on GitHub (Oct 1, 2018). I can't succeed to store ssh keypair within netbox secrets resource. I can import the content successfully but I can't retrieve it. When I try to read/unlock the content, I receive a 500 error code with the following exception: ``` <pre><strong>&lt;class &#39;UnicodeDecodeError&#39;&gt;</strong><br /> &#39;utf-8&#39; codec can&#39;t decode byte 0xac in position 0: invalid start byte</pre> ``` ### Environment * Python version: 2.7.14 * NetBox version: 2.3.2, 2.4.4 (using https://github.com/ninech/netbox-docker) ### Prerequisites - you need an active user key in netbox (see https://netbox.readthedocs.io/en/latest/core-functionality/secrets/#user-keys) - you need a session key (see https://netbox.readthedocs.io/en/latest/api/working-with-secrets/#generating-a-session-key) - you need an API token key with read/write access enabled - you need to provision your netbox instance with the following resources: - site - manufacturer - device type - device role - device - secret role ### Steps to Reproduce #### generate a ssh keypair - write a private key "ssh_host_ecdsa_key" with the following content: ``` -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRQ6X4h21yAfyfRqXbOgHd6pHe/p0Vh YyM0/547xNy2bM/mSDLTEtW2Xg9eoK6wz7xFT3Y906SAB2gTFLHQquIPAAAAqGiEqL5ohK i+AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDpfiHbXIB/J9Gp ds6Ad3qkd7+nRWFjIzT/njvE3LZsz+ZIMtMS1bZeD16grrDPvEVPdj3TpIAHaBMUsdCq4g 8AAAAgVbomnr+wervZTRBuK/GcsRs2DXHo0SaiGxG2r6VaUUgAAAAJcm9vdEB0ZXN0AQID BAUGBw== -----END OPENSSH PRIVATE KEY----- ``` - write a public key "ssh_host_ecdsa_key.pub" with the following content: ``` ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDpfiHbXIB/J9Gpds6Ad3qkd7+nRWFjIzT/njvE3LZsz+ZIMtMS1bZeD16grrDPvEVPdj3TpIAHaBMUsdCq4g8= root@test ``` #### import content (using web UI) Assuming the following: - your device name is "test" - your secret-role name is "ssh_host_ecdsa" ##### for the private key, copy/paste the following: ``` device,role,name,plaintext test,ssh_host_ecdsa,private,"-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRQ6X4h21yAfyfRqXbOgHd6pHe/p0Vh YyM0/547xNy2bM/mSDLTEtW2Xg9eoK6wz7xFT3Y906SAB2gTFLHQquIPAAAAqGiEqL5ohK i+AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDpfiHbXIB/J9Gp ds6Ad3qkd7+nRWFjIzT/njvE3LZsz+ZIMtMS1bZeD16grrDPvEVPdj3TpIAHaBMUsdCq4g 8AAAAgVbomnr+wervZTRBuK/GcsRs2DXHo0SaiGxG2r6VaUUgAAAAJcm9vdEB0ZXN0AQID BAUGBw== -----END OPENSSH PRIVATE KEY-----" ``` ##### for the public key, copy/paste the following: ``` device,role,name,plaintext test,ssh_host_ecdsa,public,ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFDpfiHbXIB/J9Gpds6Ad3qkd7+nRWFjIzT/njvE3LZsz+ZIMtMS1bZeD16grrDPvEVPdj3TpIAHaBMUsdCq4g8= root@test ``` ### Expected Behavior - we should be able to "unlock" (when using web UI) both public and private secret data. ### Observed Behavior - Unlocking private key secret data works and display content - Unlocking public key secret data pops up a window with the following content: ``` <!DOCTYPE html> <html lang="en"> <head> <title>Server Error</title> <link rel="stylesheet" href="/static/bootstrap-3.3.7-dist/css/bootstrap.min.css"> <link rel="stylesheet" href="/static/font-awesome-4.7.0/css/font-awesome.min.css"> <meta charset="UTF-8"> </head> <body> <div class="container-fluid"> <div class="row"> <div class="col-md-6 col-md-offset-3"> <div class="panel panel-danger" style="margin-top: 200px"> <div class="panel-heading"> <strong> <i class="fa fa-warning"></i> Server Error </strong> </div> <div class="panel-body"> <p> There was a problem with your request. Please contact an administrator. </p> <hr /> <p> The complete exception is provided below: </p> <pre><strong>&lt;class &#39;UnicodeDecodeError&#39;&gt;</strong><br /> &#39;utf-8&#39; codec can&#39;t decode byte 0xac in position 0: invalid start byte</pre> <p> If further assistance is required, please post to the <a href="https://groups.google.com/forum/#!forum/netbox-discuss">NetBox mailing list</a>. </p> <div class="text-right"> <a href="/" class="btn btn-primary">Home Page</a> </div> </div> </div> </div> </div> </div> </body> </html> ``` On server side, nginx logs return the following HTTP error code: ``` netbox_1 | 172.18.0.1 - - [01/Oct/2018:13:49:49 +0000] "GET /api/secrets/secrets/78/ HTTP/1.0" 500 1798 "http://10.5.2.254:32769/secrets/secrets/78/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0" ``` ### Additional comments - import is always successful. Unlock/read secret content genrerates the error mentionned above - The problem is random and not specific to the tested and mentionned content sample below - problem is reproducible either using web UI or via CLI/API - problem still persists even if you intend to encode data (using either b64encode/urllib.quote) - no matter what key type is, problem occurs (rsa,dsa,...)
adam added the type: bugstatus: accepted labels 2025-12-29 17:21:40 +01:00
adam closed this issue 2025-12-29 17:21:40 +01:00
adam commented 2025-12-29 17:21:40 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Nov 5, 2018):

Wow, this is all over the place. I can confirm that NetBox generates an exception when attempting to create a secret larger than 127 bytes under Python 2, but beyond that much of what you're saying doesn't make sense.

import is always successful.

I receive the same exception no matter how the secret is created. The exception originates from within the _pad method, which is always called on save().

The problem is random

Again, this is consistently reproducible.

problem still persists even if you intend to encode data

I'm not sure what this is in reference too. NetBox doesn't care what you do with the stored data.

no matter what key type is, problem occurs (rsa,dsa,...)

This has nothing to do with SSH key types; it is solely an issue regarding the encoding of data size. The same thing happens with any string of 128+ characters.

@jeremystretch commented on GitHub (Nov 5, 2018): Wow, this is all over the place. I can confirm that NetBox generates an exception when attempting to create a secret larger than 127 bytes under Python 2, but beyond that much of what you're saying doesn't make sense. > import is always successful. I receive the same exception no matter how the secret is created. The exception originates from within the `_pad` method, which is always called on `save()`. > The problem is random Again, this is consistently reproducible. > problem still persists even if you intend to encode data I'm not sure what this is in reference too. NetBox doesn't care what you do with the stored data. > no matter what key type is, problem occurs (rsa,dsa,...) This has nothing to do with SSH key types; it is solely an issue regarding the encoding of data size. The same thing happens with any string of 128+ characters.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#2037
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?