Add Chef PKI sync

[carlosmonastyrski]

Description 📣

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

Tests 🛠️

# Here's some code block to paste some code snippets

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[carlosmonastyrski]

@greptile

[greptile-apps]

Greptile Summary

• Implements Chef PKI certificate sync feature enabling automated deployment of SSL/TLS certificates to Chef data bags with support for certificate renewals and lifecycle management
• Uses native JavaScript regex instead of RE2 package in multiple files, violating ReDoS protection requirements (chef-connection-fns.ts lines 31-51, 62, 105 and chef-pki-sync-constants.ts lines 2-3)
• Comprehensive documentation provided in /docs folder explaining feature discovery and usage

Confidence Score: 3/5

• This PR has critical regex security issues that must be fixed before merging
• Multiple instances of native JavaScript regex usage violate the repository's ReDoS protection policy requiring RE2 package. The formatPrivateKey function and validation patterns use potentially unsafe regex that could be exploited for denial of service attacks. These are critical security concerns that must be addressed.
• Pay close attention to backend/src/ee/services/app-connections/chef/chef-connection-fns.ts (lines 31-51, 62, 105) and backend/src/services/pki-sync/chef/chef-pki-sync-constants.ts (lines 2-3, 10) for regex security fixes

Important Files Changed

Filename	Overview
backend/src/ee/services/app-connections/chef/chef-connection-fns.ts	Added Chef API authentication and data bag operations with native regex usage in formatPrivateKey function that violates ReDoS protection requirements
backend/src/services/pki-sync/chef/chef-pki-sync-constants.ts	Defines naming patterns and defaults for Chef PKI sync using native regex patterns for validation
backend/src/services/pki-sync/chef/chef-pki-sync-fns.ts	Core Chef PKI sync logic implementing certificate synchronization, updates, and removals with proper RE2 usage in schemas but potential security concerns around certificate handling

[greptile-apps]

Additional Comments (3)

1. backend/src/ee/services/app-connections/chef/chef-connection-fns.ts, line 62 (link)

   syntax: native regex .replace(/\.\d{3}Z$/, "Z") should use RE2

2. backend/src/ee/services/app-connections/chef/chef-connection-fns.ts, line 105 (link)

   syntax: native regex .match(/.{1,60}/g) should use RE2

3. backend/src/ee/services/app-connections/chef/chef-connection-fns.ts, line 31-51 (link)

   syntax: native regex instead of RE2 creates ReDoS vulnerability

   The formatPrivateKey function uses native JavaScript regex (lines 35, 38, 46, 49) which violates the custom rule requiring RE2 package for all regex operations. Replace all .replace() calls with RE2 equivalents: new RE2(pattern, flags).replace(string, replacement). Verify patterns at https://devina.io/redos-checker

_{38 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile
React with 👍 or 👎 to share your feedback on this new summary format}