wolfssh/client: reject unsanitized fields before known_hosts write

[yosuke-wolfssl]

Reject unsanitized fields before writing known_hosts

Summary

The wolfssh client wrote the destination host name (from argv) and the
peer-supplied key-type verbatim into ~/.ssh/known_hosts via
fprintf(f, "%s %s %s\n", name, type, key). Since entries are
whitespace-delimited and newline-terminated, an attacker-influenced value with
a newline could inject a forged trusted entry, and a space/tab could
forge fields.
Addressed by f_5136.

Fix (apps/wolfssh/common.c)

• New static IsFieldStorable(): rejects a field that is NULL, empty, or
  contains a space/control byte ((unsigned char)c <= ' ') or 0x7f,
  returning WS_BAD_ARGUMENT. High-bit (UTF-8/IDN) bytes are allowed.
• AppendKeyToFile validates name, type, and key before opening the
  file, so a malformed value never reaches fprintf. type matters because
  it is copied verbatim from the peer's host-key blob; the key check is a
  NULL/empty guard (Base64 carries no separators).
• AppendKeyToFile stays static — no production symbol/behavior change.

Testing (tests/regress.c)

New TestAppendKeyToFile, reached via a #ifdef WOLFSSH_TEST_INTERNAL wrapper
(wolfSSH_Test* convention; absent from production builds). Covers: clean
write + a second append that preserves the prior entry; rejection of
newline/space/tab/CR/DEL and NULL/empty in name/type/key, each
asserting nothing is written; and a high-bit name accepted intact.

Verification

regress.test passes; each guard confirmed with a negative control (reverting
the check fails the matching case); clean under ASan + UBSan (LeakSanitizer
n/a on macOS); production wolfssh app builds clean.

[Copilot]

Pull request overview

This PR hardens the wolfssh client’s known_hosts update path by validating untrusted name (CLI), type (peer-supplied), and key fields before they can be written as whitespace-delimited, newline-terminated records—preventing field/line injection into ~/.ssh/known_hosts.

Changes:

• Add IsFieldStorable() and pre-validate name/type/key in AppendKeyToFile() before performing the fprintf write.
• Expose a WOLFSSH_TEST_INTERNAL test hook (wolfSSH_TestAppendKeyToFile) without changing production symbols/behavior.
• Add a regression test covering valid writes/appends and rejection of whitespace/control-byte injection attempts.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
apps/wolfssh/common.c	Adds field sanitization before known_hosts append; adds internal-only test hook wrapper.
apps/wolfssh/common.h	Declares the internal-only wolfSSH_TestAppendKeyToFile hook under WOLFSSH_TEST_INTERNAL.
tests/regress.c	Adds TestAppendKeyToFile to verify correct acceptance/rejection behavior and that invalid inputs do not write.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1045

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1045

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅