Matrix89 opened a new issue, #12925: URL: https://github.com/apache/cloudstack/issues/12925
### problem Having the ssh key pairs being identified by their name leads to a lot of weird issues. 1. The key pair validator allows commas(and other special characters like an ampersand) in the key pair name. 2. The `deployVirtualMachine` command `keypairs` parameter isn't escaped, this breaks on key pairs containing commas. 4. The `deployVirtualMachine` command `keypair` works with commas 5. The UI breaks when a key pair contains commas, below is a single key containing a bunch of commas <img width="480" height="322" alt="Image" src="https://github.com/user-attachments/assets/4efda769-376e-4464-856b-d8818cf6c785"; /> 6. If the API consumer assumes the key pair name is safe and validated by cloudstack it *cloud* lead to a command injection(but it requires a lot of wrong assumptions) ### versions CloudStack 4.22.0.0 ### The steps to reproduce the bug You can use the UI to observe most of the issues: 1. Create a new key pair with a comma in the name eg. `test, test` 2. Try creating a new instance with said key ### What to do about it? 1. Add a new `keypairId` array parameter to all the endpoint which access key pair name. 2. Mark the `keypair` and `keypairs` parameters deprecated. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
