fix(security): harden SSH target handling to prevent argument injection
- Add hostname validation to reject targets starting with '-' - Add '--' delimiter before destination to prevent option injection - Prevents DoS via mDNS poisoning with malicious hostnames Fixes CWE-88 (Argument Injection)
This commit is contained in:
parent
718bc3f9c8
commit
9e5b95468e
@ -41,10 +41,14 @@ export function parseSshTarget(raw: string): SshParsedTarget | null {
|
|||||||
const portRaw = hostPart.slice(colonIdx + 1).trim();
|
const portRaw = hostPart.slice(colonIdx + 1).trim();
|
||||||
const port = Number.parseInt(portRaw, 10);
|
const port = Number.parseInt(portRaw, 10);
|
||||||
if (!host || !Number.isFinite(port) || port <= 0) return null;
|
if (!host || !Number.isFinite(port) || port <= 0) return null;
|
||||||
|
// Security: Reject hostnames starting with '-' to prevent argument injection
|
||||||
|
if (host.startsWith("-")) return null;
|
||||||
return { user: userPart, host, port };
|
return { user: userPart, host, port };
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!hostPart) return null;
|
if (!hostPart) return null;
|
||||||
|
// Security: Reject hostnames starting with '-' to prevent argument injection
|
||||||
|
if (hostPart.startsWith("-")) return null;
|
||||||
return { user: userPart, host: hostPart, port: 22 };
|
return { user: userPart, host: hostPart, port: 22 };
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -134,7 +138,8 @@ export async function startSshPortForward(opts: {
|
|||||||
if (opts.identity?.trim()) {
|
if (opts.identity?.trim()) {
|
||||||
args.push("-i", opts.identity.trim());
|
args.push("-i", opts.identity.trim());
|
||||||
}
|
}
|
||||||
args.push(userHost);
|
// Security: Use '--' to prevent userHost from being interpreted as an option
|
||||||
|
args.push("--", userHost);
|
||||||
|
|
||||||
const stderr: string[] = [];
|
const stderr: string[] = [];
|
||||||
const child = spawn("/usr/bin/ssh", args, {
|
const child = spawn("/usr/bin/ssh", args, {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user