romtuck/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): harden SSH target handling to prevent argument injection

Browse Source 
- Add hostname validation to reject targets starting with '-'
- Add '--' delimiter before destination to prevent option injection
- Prevents DoS via mDNS poisoning with malicious hostnames

Fixes CWE-88 (Argument Injection)
This commit is contained in:
Cyl 2026-01-29 21:58:02 +08:00
parent 718bc3f9c8
commit 9e5b95468e
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/infra/ssh-tunnel.ts
View File

@ -41,10 +41,14 @@ export function parseSshTarget(raw: string): SshParsedTarget | null {
const portRaw = hostPart.slice(colonIdx + 1).trim();
const port = Number.parseInt(portRaw, 10);
if (!host || !Number.isFinite(port) || port <= 0) return null;
// Security: Reject hostnames starting with '-' to prevent argument injection
if (host.startsWith("-")) return null;
return { user: userPart, host, port };
}
if (!hostPart) return null;
// Security: Reject hostnames starting with '-' to prevent argument injection
if (hostPart.startsWith("-")) return null;
return { user: userPart, host: hostPart, port: 22 };
}
@ -134,7 +138,8 @@ export async function startSshPortForward(opts: {
if (opts.identity?.trim()) {
args.push("-i", opts.identity.trim());
}
args.push(userHost);
// Security: Use '--' to prevent userHost from being interpreted as an option
args.push("--", userHost);
const stderr: string[] = [];
const child = spawn("/usr/bin/ssh", args, {