Using non ASCII characters as value of key in KeyStore should be prohibited

[andsel]

Logstash information:

Please include the following information:

1. Logstash version (e.g. bin/logstash --version)
2. Logstash installation source (e.g. built from source, with a package manager: DEB/RPM, expanded from tar or zip archive, docker)
3. How is Logstash being run (e.g. as a service/service manager: systemd, upstart, etc. Via command line, docker/kubernetes)

Plugins installed: (bin/logstash-plugin list --verbose)

JVM (e.g. java -version):

If the affected version of Logstash is 7.9 (or earlier), or if it is NOT using the bundled JDK or using the 'no-jdk' version in 7.10 (or higher), please provide the following information:

1. JVM version (java -version)
2. JVM installation source (e.g. from the Operating System's package manager, from source, etc).
3. Value of the LS_JAVA_HOME environment variable if set.

OS version (uname -a if on a Unix-like system):

Description of the problem including expected versus actual behavior:

Steps to reproduce:

Please include a minimal but complete recreation of the problem,
including (e.g.) pipeline definition(s), settings, locale, etc. The easier
you make for us to reproduce it, the more likely that somebody will take the
time to look at it.

1. create a key store and store a secret containing a non-ASCII character, for example €
2. run a pipeline that uses the secret store and that value
3. verify the value is not what you expected

Create a key store with non ASCII value

bin/logstash-keystore --path.settings /tmp/tmp_settings create
bin/logstash-keystore --path.settings /tmp/tmp_settings add  TEST_VAR

Run a pipeline that uses the value inserted

bin/logstash --path.settings /tmp/tmp_settings -e "input{stdin{add_field => {field1 => '${TEST_VAR}'}}} output{stdout{codec=>rubydebug}}"

Provide logs (if relevant):

[INFO ] 2023-09-06 16:36:58.987 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
hello
{
          "host" => {
        "hostname" => "andreas-MBP-2.station"
    },
         "event" => {
        "original" => "hello"
    },
       "message" => "hello",
    "@timestamp" => 2023-09-06T14:37:02.988592Z,
        "field1" => "",
      "@version" => "1"
}

---

Additional notes

During the storing of the key in the key store, Logstash casts an array of chars to an array of bytes

logstash/logstash-core/src/main/java/org/logstash/secret/cli/SecretStoreCli.java

Line 131 in 0f3330e

add(secretStore, id, SecretStoreUtil.asciiCharToBytes(secret));

using the SecretStoreUtil.asciiCharToBytes

logstash/logstash-core/src/main/java/org/logstash/secret/store/SecretStoreUtil.java

Lines 64 to 67 in fde473d

	for (int i = 0; i < chars.length; i++) {
	bytes[i] = (byte) chars[i];
	chars[i] = '\0';
	}

Ideally the logstash-keystore CLI tool should notify an error on the characters if it contains a non ASCII and never store anything for that key name into the key store.

Elasticsearch, in doing similar stuff, used an encoder to validate it: https://github.com/elastic/elasticsearch/blob/7a035f5f8435962072157f46031e73855fe4a875/core/src/main/java/org/elasticsearch/common/settings/KeyStoreWrapper.java#L389-L399

[jvalente-salemstate]

I've run into an issue with this and have captured additional results from testing. The keystore is also capturing ANSI Escape codes and saving them to the keystore. It also seems to parse them when they're present in the keystore pass (that is, the env var used to load the keystore. Secrets saved within it do seem to load although displaying the Unicode representation of the char). I discovered this when I kept getting an error about the password being non-ascii when it definitely was.

I added a pipeline to write specific items in a test keystore to a file and it's definitely capturing at least Escape (\u001B)

1235678\u001B9abo

123pressescape\u001Bcontinuetypingbackspacenotheend

escapeclick\u001Bcontinueongoaway\u001Bok

testonetwoescapenow\u001B\u001Ballset

The third line and references to click were me testing what was being captured. Thus far I've only been able to confirm pressing escape does this.