Skip to content

fix(vm): stop leaking the VNC password + unify CNI-VNC gate#16

Merged
CMGS merged 1 commit into
masterfrom
fix/vnc-password-hygiene
Jul 4, 2026
Merged

fix(vm): stop leaking the VNC password + unify CNI-VNC gate#16
CMGS merged 1 commit into
masterfrom
fix/vnc-password-hygiene

Conversation

@CMGS

@CMGS CMGS commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Adversarial-review findings on tonight's VNC-over-proxy feature.

Security

  • VNCPass persisted in plaintext to vm.json and echoed by vm inspect / vm list -o json, though it's launch-scoped and re-set from the flag every start — never read back. Now json:"-" (run passes the in-memory record to launch, so the in-process value is untouched).
  • setVNCPassword leaked the password via its error: the returned fmt.Errorf("qemu: %s", out) embedded the HMP echo of set_password vnc <pw>, landing in stderr/CI logs. Static error now.

Robustness

  • startVNCProxy orphan: a WritePIDFile failure after the proxy forked left an unreapable child holding the host VNC port. Kill it on that path.
  • Gate dedup + test: the CNI-VNC mandatory-password check was copy-pasted at create/clone/launch. Extracted requireCNIVNCPassword + TestRequireCNIVNCPassword so a future refactor can't silently drop the off-box-exposure guard.

Verification

GOWORK=off build/test/-race green; lint 0 issues both GOOS; fmt-check clean. No behavior change beyond the security fixes.

- VNCPass is launch-scoped and set from the flag on every start, but it
  was persisted to vm.json (json tag) and echoed by inspect/list — a
  plaintext password at rest. Mark it json:"-".
- setVNCPassword embedded the full HMP dialogue in its error, which
  echoes the typed 'set_password vnc <pw>' line to stderr/CI logs.
  Return a static error instead.
- startVNCProxy left an orphan proxy holding the host port if WritePIDFile
  failed after the child forked; kill it on that path.
- The mandatory-password gate was hand-duplicated at create/clone/launch;
  extract requireCNIVNCPassword and add a regression test.
@CMGS CMGS merged commit 5a6a694 into master Jul 4, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant