feat(secret-rotation): add HP iLO local account password rotation by victorvhs017 · Pull Request #5744 · Infisical/infisical

victorvhs017 · 2026-03-18T00:59:47Z

Context

Adds HP iLO Local Account Secret Rotation support to Infisical. This feature enables automated password rotation for HP Integrated Lights-Out (iLO) management interfaces, which are commonly used for remote server management in enterprise environments.

Key changes:

New HP iLO rotation type with full backend implementation (rotation factory, schemas, types, routes)
SSH connection layer improvements: added retry mechanism with configurable timeout (45s) and retry delay (5s) to handle slow SSH daemon startup on iLO devices
Increased Fastify connection timeout from 30s to 60s for non-HSM deployments to support long-running SSH operations
Frontend forms, review fields, and secrets mapping for HP iLO rotation configuration
Full API documentation and user documentation with screenshots

Steps to verify the change

Create an SSH App Connection pointing to an HP iLO device
Create an HP iLO Local Account secret rotation using that connection
Verify the rotation executes successfully and password is changed
Test reconcile flow
Test API
Test with gateway
Test that the retry mechanism works when iLO SSH is slow to respond (first attempt may timeout, second should succeed) - Check these in the logs.

Type

Checklist

Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
Tested locally
Updated docs (if needed)
Updated CLAUDE.md files (if needed)
Read the contributing guide

- Added new router for HP iLO Local Account rotation with endpoints for create, update, delete, list, and reconcile operations. - Introduced schemas and types for HP iLO rotation, including validation and password requirements. - Integrated HP iLO rotation logic into the secret rotation service, supporting both login-as-target and login-as-root methods. - Updated API documentation to include HP iLO Local Account endpoints and configuration details.

- Changed validation message for username to clarify allowed characters. - Adjusted password length requirement in documentation from 48 to 39 characters for HP iLO local account. - Removed unnecessary console logs from SecretRotation components to clean up code. - Enhanced logic for displaying the reconcile button based on rotation method in SecretRotationTableRow and SecretRotationItem components.

- Added password sanitization in error messages for iLO command failures to improve security. - Updated the ReconcileLocalAccountRotationModal to support HP iLO local account rotations. - Introduced a new image for HP iLO local account reconciliation in the documentation.

- Introduced a new binary image for the HP iLO local account reconciliation process in the documentation.

maidul98 · 2026-03-18T01:00:30Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

…nctions - Removed unnecessary algorithm configurations from SSH connection setup in hp-ilo-rotation-fns.ts and ssh-connection-fns.ts. - Updated TSshConnectionConfig type to eliminate the algorithms property, streamlining the connection process.

linear · 2026-03-18T17:53:11Z

SECRETS-142 Add secret rotation for HPE ILO using SSH connection

- Increased SSH connection timeout from 15 seconds to 45 seconds to improve connection stability. - Added retry logic for SSH connections, allowing up to 2 retries with a 5-second delay between attempts. - Introduced logging for connection attempts and errors to aid in troubleshooting.

- Updated the username validation logic to throw a BadRequestError if the provided username matches the credentials in the connection, enhancing error handling and user feedback.

greptile-apps · 2026-03-18T22:15:48Z

Greptile Summary

This PR adds full-stack support for HP iLO (Integrated Lights-Out) local account rotation, including SSH shell-based rotation logic, a retry mechanism for slow iLO SSH daemons, and corresponding frontend forms, type definitions, and documentation. The implementation follows the existing rotation v2 pattern closely and is generally well-structured.

Key issues found:

P1 — Command injection risk in iLO shell commands (hp-ilo-rotation-fns.ts): The generated credential is interpolated directly into an iLO shell command string without validating it contains no whitespace. A user with write access to a rotation config can configure custom character requirements to include newlines via the password requirements API field, causing the iLO shell to interpret injected text as a separate command (e.g., privilege escalation). A pre-command whitespace guard should be added.
P2 — Global SSH changes have broad impact: The SSH timeout increase (15s to 45s), removal of the explicit server host key algorithm list, and the Fastify connection timeout increase (30s to 60s) all affect every SSH app connection and every non-HSM HTTP request, not just HP iLO. These changes deserve explicit justification.
P2 — Frontend/backend rotation method default mismatch: The UI defaults to LoginAsTarget while the backend factory defaults to LoginAsRoot. Direct API users and UI users will see different default behavior.
P2 — RE2 usage pattern: The native String.prototype.replace() is used with a RE2 instance instead of the RE2 instance's own replace method per project convention.
P2 — Unstructured log statements: New log calls use free-form strings instead of the project's structured field-based logging format.

Confidence Score: 2/5

Not safe to merge as-is due to a command injection risk in the iLO shell command builder that can be triggered by a privileged user configuring custom password requirements.
The P1 command injection issue in hp-ilo-rotation-fns.ts is a genuine security concern: unsanitized credential values are interpolated into an iLO shell command, and the allowedSymbols field on passwordRequirements is fully user-controllable with no character-level restrictions. Additionally, the global SSH changes (timeout, host key algorithms) and the Fastify timeout change deserve review to confirm they are safe across all existing integrations.
Pay close attention to backend/src/ee/services/secret-rotation-v2/hp-ilo-rotation/hp-ilo-rotation-fns.ts (command injection) and backend/src/services/app-connection/ssh/ssh-connection-fns.ts (global SSH behavior changes).

Important Files Changed

Filename	Overview
backend/src/ee/services/secret-rotation-v2/hp-ilo-rotation/hp-ilo-rotation-fns.ts	Core rotation logic - contains a P1 command injection risk via unsanitized credential interpolation in iLO shell commands, and a P2 RE2 usage pattern violation.
backend/src/ee/services/secret-rotation-v2/hp-ilo-rotation/hp-ilo-rotation-schemas.ts	Schema definitions look correct; username is properly validated to alphanumeric/hyphen/underscore; passwordRequirements uses the shared schema with no additional iLO-specific symbol restrictions.
backend/src/ee/services/secret-rotation-v2/secret-rotation-v2-service.ts	Service correctly extends reconcile support to HP iLO; the method resolution logic is a bit verbose but correct; union types updated properly.
backend/src/server/app.ts	Fastify connection timeout increased from 30s to 60s for non-HSM deployments to support long-running SSH operations; this is a global change that affects all non-HSM routes, not just HP iLO.
frontend/src/components/secret-rotations-v2/forms/SecretRotationV2ParametersFields/HpIloRotationParametersFields.tsx	Parameter fields are well-structured; however the default rotation method in the UI (LoginAsTarget) disagrees with the backend default (LoginAsRoot), causing a confusing UX for first-time users who don't change the method.
backend/src/services/app-connection/ssh/ssh-connection-fns.ts	Adds SSH retry logic with configurable timeout; increases readyTimeout from 15s to 45s globally; removes explicit server host key algorithm restriction affecting all SSH connections; new log statements use unstructured format instead of the project's structured logging convention.

Comments Outside Diff (3)

backend/src/services/app-connection/ssh/ssh-connection-fns.ts, line 45-52 (link)

Removal of explicit server host key algorithm list

The diff removes the explicit serverHostKey algorithm restriction that was previously in place:
```
-      algorithms: {
-        serverHostKey: ["rsa-sha2-512", "rsa-sha2-256", "ssh-rsa", "ecdsa-sha2-nistp256", "ecdsa-sha2-nistp521"]
-      }
```
Without this restriction, the ssh2 library will negotiate the algorithm based on what the server offers, which may include weaker legacy algorithms (e.g., ssh-dss). While this change was likely needed for HP iLO compatibility, removing it globally affects all SSH app connections, not just HP iLO. Consider whether this restriction should be removed only for iLO connections, or whether a note should be added explaining why global removal is acceptable.
backend/src/ee/services/secret-rotation-v2/hp-ilo-rotation/hp-ilo-rotation-fns.ts, line 267-269 (link)

createIloConnection is a needless wrapper

This function adds no logic and is just an alias:
```
const createIloConnection = (config: TSshConnectionConfig, targetHost: string, targetPort: number): Promise<Client> => {
  return getSshConnectionClient(config, targetHost, targetPort);
};
```
Every call site already has access to getSshConnectionClient directly. Consider removing this wrapper and calling getSshConnectionClient directly to reduce indirection.

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}
backend/src/ee/services/secret-rotation-v2/hp-ilo-rotation/hp-ilo-rotation-fns.ts, line 310-312 (link)

Command injection risk via generated credential value

The generated credential value is directly interpolated into an iLO shell command string without any sanitization check. The iLO SSH shell parses commands by whitespace — if the generated credential contains a space, the token after the space would be treated as an extra argument; if it contains a newline character, the iLO shell would treat it as a command separator and execute whatever follows as an additional iLO command, enabling privilege escalation or arbitrary configuration changes.

Although the default allowedSymbols is empty, passwordRequirements is entirely user-configurable via the API with no restriction on which characters allowedSymbols may include. A user with write access to a rotation config could specify newlines as allowed symbols to exploit this.

Fix: Before building the command string, validate that the generated credential contains no whitespace characters and throw a BadRequestError if it does. Use RE2 for the check per project conventions. This applies to both the target-mode and admin-mode helper functions.

_{Last reviewed commit: "fix: improve usernam..."}

backend/src/services/app-connection/ssh/ssh-connection-fns.ts

...secret-rotations-v2/forms/SecretRotationV2ParametersFields/HpIloRotationParametersFields.tsx

backend/src/ee/services/secret-rotation-v2/hp-ilo-rotation/hp-ilo-rotation-fns.ts

- Changed the method of sanitizing password in error messages from using buffer.replace to passwordPattern.replace for improved accuracy. - Updated SSH connection logging to include host and port details for better traceability during connection attempts and validations. - Adjusted default rotation method in the HP iLO rotation parameters to 'LoginAsRoot' for consistency in behavior.

- Updated the connection timeout for non-HSM configurations from 60 seconds to 70 seconds to enhance performance. - Refined error notification logic to provide a more user-friendly message and conditionally include request ID for better traceability.

- Updated TLS and gateway connection timeouts from 30 seconds to 120 seconds to enhance connection reliability. - Adjusted application connection timeout to a consistent 100 seconds for better performance across configurations. - Increased SSH connection timeout from 45 seconds to 50 seconds to further improve connection stability.

backend/src/ee/services/secret-rotation-v2/hp-ilo-rotation/hp-ilo-rotation-fns.ts

backend/src/services/app-connection/ssh/ssh-connection-fns.ts

.../secret-manager/SecretDashboardPage/components/SecretRotationListView/SecretRotationItem.tsx

backend/src/ee/services/secret-rotation-v2/hp-ilo-rotation/hp-ilo-rotation-fns.ts

IgorHorta · 2026-03-19T18:27:22Z

@victorvhs017
Im having this in an intermittent way after creating the rotation.

IgorHorta · 2026-03-19T18:29:38Z

@victorvhs017 Im having this in an intermittent way after creating the rotation.

- Introduced a maximum buffer size limit for iLO shell responses to prevent overflow and improve error handling. - Added logic to reject the promise if the buffer exceeds the defined maximum size, ensuring stability during command execution.

IgorHorta

code looks good!

Victor Hugo dos Santos added 4 commits March 17, 2026 21:43

feat: add new image for HP iLO local account reconciliation

6857718

- Introduced a new binary image for the HP iLO local account reconciliation process in the documentation.

mintlify bot deployed to staging - docs March 18, 2026 01:02 View deployment

victorvhs017 changed the title ~~Feature/hp ilo secret rotation~~ feat(secret-rotation): add HP iLO local account password rotation Mar 18, 2026

Victor Hugo dos Santos added 2 commits March 18, 2026 18:57

fix: improve username validation in HP iLO rotation function

a5bde5f

- Updated the username validation logic to throw a BadRequestError if the provided username matches the credentials in the connection, enhancing error handling and user feedback.

victorvhs017 marked this pull request as ready for review March 18, 2026 22:09

greptile-apps bot reviewed Mar 18, 2026

View reviewed changes

Victor Hugo dos Santos added 3 commits March 18, 2026 20:51

IgorHorta self-requested a review March 19, 2026 13:52