[nexus] base64 decode SSH private key before use

heavycrystal · heavycrystal · commit 1f0c0c7592c2 · 2025-11-04T02:42:46.000+05:30
diff --git a/nexus/Cargo.lock b/nexus/Cargo.lock
diff --git a/nexus/catalog/src/lib.rs b/nexus/catalog/src/lib.rs
@@ -390,8 +390,14 @@ impl Catalog {
             .prepare_typed(
                 "INSERT INTO flows (name, source_peer, destination_peer, description,
                      query_string, flow_metadata) VALUES ($1, $2, $3, $4, $5, $6, $7)",
-                &[types::Type::TEXT, types::Type::INT4, types::Type::INT4, types::Type::TEXT,
-                 types::Type::TEXT, types::Type::JSONB],
+                &[
+                    types::Type::TEXT,
+                    types::Type::INT4,
+                    types::Type::INT4,
+                    types::Type::TEXT,
+                    types::Type::TEXT,
+                    types::Type::JSONB,
+                ],
             )
             .await?;
 
diff --git a/nexus/postgres-connection/Cargo.toml b/nexus/postgres-connection/Cargo.toml
@@ -18,3 +18,4 @@ tokio-util = { version = "0.7", features = ["compat"] }
 tokio-stream = "0.1"
 tracing.workspace = true
 urlencoding = "2"
+base64 = "0.22"
diff --git a/nexus/postgres-connection/src/lib.rs b/nexus/postgres-connection/src/lib.rs
@@ -1,3 +1,4 @@
+use base64::Engine;
 use pt::peerdb_peers::{PostgresConfig, SshConfig};
 use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
 use rustls::{ClientConfig, DigitallySignedStruct, RootCertStore, SignatureScheme};
@@ -94,7 +95,21 @@ pub async fn create_tunnel(
         session.userauth_password(&ssh_config.user, &ssh_config.password)?;
     }
     if !ssh_config.private_key.is_empty() {
-        session.userauth_pubkey_memory(&ssh_config.user, None, &ssh_config.private_key, None)?;
+        let private_key_bytes = base64::engine::general_purpose::STANDARD
+            .decode(&ssh_config.private_key)
+            .map_err(|e| {
+                io::Error::new(
+                    io::ErrorKind::InvalidData,
+                    format!("Failed to decode private key: {e}"),
+                )
+            })?;
+        let private_key = String::from_utf8(private_key_bytes).map_err(|e| {
+            io::Error::new(
+                io::ErrorKind::InvalidData,
+                format!("Invalid UTF-8 in private key: {e}"),
+            )
+        })?;
+        session.userauth_pubkey_memory(&ssh_config.user, None, &private_key, None)?;
     }
     if !ssh_config.host_key.is_empty() {
         let mut known_hosts = session.known_hosts()?;
