mirror of
https://github.com/slackhq/nebula.git
synced 2026-04-01 07:05:17 +02:00
add sshd.sandbox_dir config option
Sanitize SSH profile paths (ssh.go:514,683,719) — restrict os.Create(a[0]) to a safe directory. Add a config option in the config file to specify the sandbox directory. For backwards compatibility, if the config is not specified, keep the current behavior.
This commit is contained in:
Jay Wren
63
ssh.go
63
ssh.go
@@ -10,6 +10,7 @@ import (
|
|||||||
"net"
|
"net"
|
||||||
"net/netip"
|
"net/netip"
|
||||||
"os"
|
"os"
|
||||||
|
"path/filepath"
|
||||||
"reflect"
|
"reflect"
|
||||||
"runtime"
|
"runtime"
|
||||||
"runtime/pprof"
|
"runtime/pprof"
|
||||||
@@ -188,6 +189,8 @@ func configSSH(l *logrus.Logger, ssh *sshd.SSHServer, c *config.C) (func(), erro
|
|||||||
}
|
}
|
||||||
|
|
||||||
func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Interface) {
|
func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Interface) {
|
||||||
|
sandboxDir := c.GetString("sshd.sandbox_dir", "")
|
||||||
|
|
||||||
ssh.RegisterCommand(&sshd.Command{
|
ssh.RegisterCommand(&sshd.Command{
|
||||||
Name: "list-hostmap",
|
Name: "list-hostmap",
|
||||||
ShortDescription: "List all known previously connected hosts",
|
ShortDescription: "List all known previously connected hosts",
|
||||||
@@ -246,7 +249,9 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
|
|||||||
ssh.RegisterCommand(&sshd.Command{
|
ssh.RegisterCommand(&sshd.Command{
|
||||||
Name: "start-cpu-profile",
|
Name: "start-cpu-profile",
|
||||||
ShortDescription: "Starts a cpu profile and write output to the provided file, ex: `cpu-profile.pb.gz`",
|
ShortDescription: "Starts a cpu profile and write output to the provided file, ex: `cpu-profile.pb.gz`",
|
||||||
Callback: sshStartCpuProfile,
|
Callback: func(fs any, a []string, w sshd.StringWriter) error {
|
||||||
|
return sshStartCpuProfile(sandboxDir, fs, a, w)
|
||||||
|
},
|
||||||
})
|
})
|
||||||
|
|
||||||
ssh.RegisterCommand(&sshd.Command{
|
ssh.RegisterCommand(&sshd.Command{
|
||||||
@@ -261,7 +266,9 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
|
|||||||
ssh.RegisterCommand(&sshd.Command{
|
ssh.RegisterCommand(&sshd.Command{
|
||||||
Name: "save-heap-profile",
|
Name: "save-heap-profile",
|
||||||
ShortDescription: "Saves a heap profile to the provided path, ex: `heap-profile.pb.gz`",
|
ShortDescription: "Saves a heap profile to the provided path, ex: `heap-profile.pb.gz`",
|
||||||
Callback: sshGetHeapProfile,
|
Callback: func(fs any, a []string, w sshd.StringWriter) error {
|
||||||
|
return sshGetHeapProfile(sandboxDir, fs, a, w)
|
||||||
|
},
|
||||||
})
|
})
|
||||||
|
|
||||||
ssh.RegisterCommand(&sshd.Command{
|
ssh.RegisterCommand(&sshd.Command{
|
||||||
@@ -273,7 +280,9 @@ func attachCommands(l *logrus.Logger, c *config.C, ssh *sshd.SSHServer, f *Inter
|
|||||||
ssh.RegisterCommand(&sshd.Command{
|
ssh.RegisterCommand(&sshd.Command{
|
||||||
Name: "save-mutex-profile",
|
Name: "save-mutex-profile",
|
||||||
ShortDescription: "Saves a mutex profile to the provided path, ex: `mutex-profile.pb.gz`",
|
ShortDescription: "Saves a mutex profile to the provided path, ex: `mutex-profile.pb.gz`",
|
||||||
Callback: sshGetMutexProfile,
|
Callback: func(fs any, a []string, w sshd.StringWriter) error {
|
||||||
|
return sshGetMutexProfile(sandboxDir, fs, a, w)
|
||||||
|
},
|
||||||
})
|
})
|
||||||
|
|
||||||
ssh.RegisterCommand(&sshd.Command{
|
ssh.RegisterCommand(&sshd.Command{
|
||||||
@@ -506,13 +515,39 @@ func sshListLighthouseMap(lightHouse *LightHouse, a any, w sshd.StringWriter) er
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func sshStartCpuProfile(fs any, a []string, w sshd.StringWriter) error {
|
// sshSanitizeFilePath validates that the given file path is within the sandbox directory.
|
||||||
|
// If sandboxDir is empty, the path is returned as-is for backwards compatibility.
|
||||||
|
func sshSanitizeFilePath(sandboxDir, filePath string) (string, error) {
|
||||||
|
if sandboxDir == "" {
|
||||||
|
return filePath, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// Clean and resolve the path relative to the sandbox directory
|
||||||
|
if !filepath.IsAbs(filePath) {
|
||||||
|
filePath = filepath.Join(sandboxDir, filePath)
|
||||||
|
}
|
||||||
|
cleaned := filepath.Clean(filePath)
|
||||||
|
|
||||||
|
// Ensure the resolved path is within the sandbox directory
|
||||||
|
if !strings.HasPrefix(cleaned, filepath.Clean(sandboxDir)+string(filepath.Separator)) && cleaned != filepath.Clean(sandboxDir) {
|
||||||
|
return "", fmt.Errorf("path %q is outside the sandbox directory %q", filePath, sandboxDir)
|
||||||
|
}
|
||||||
|
|
||||||
|
return cleaned, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func sshStartCpuProfile(sandboxDir string, fs any, a []string, w sshd.StringWriter) error {
|
||||||
if len(a) == 0 {
|
if len(a) == 0 {
|
||||||
err := w.WriteLine("No path to write profile provided")
|
err := w.WriteLine("No path to write profile provided")
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
file, err := os.Create(a[0])
|
filePath, err := sshSanitizeFilePath(sandboxDir, a[0])
|
||||||
|
if err != nil {
|
||||||
|
return w.WriteLine(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
file, err := os.Create(filePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
err = w.WriteLine(fmt.Sprintf("Unable to create profile file: %s", err))
|
err = w.WriteLine(fmt.Sprintf("Unable to create profile file: %s", err))
|
||||||
return err
|
return err
|
||||||
@@ -676,12 +711,17 @@ func sshChangeRemote(ifce *Interface, fs any, a []string, w sshd.StringWriter) e
|
|||||||
return w.WriteLine("Changed")
|
return w.WriteLine("Changed")
|
||||||
}
|
}
|
||||||
|
|
||||||
func sshGetHeapProfile(fs any, a []string, w sshd.StringWriter) error {
|
func sshGetHeapProfile(sandboxDir string, fs any, a []string, w sshd.StringWriter) error {
|
||||||
if len(a) == 0 {
|
if len(a) == 0 {
|
||||||
return w.WriteLine("No path to write profile provided")
|
return w.WriteLine("No path to write profile provided")
|
||||||
}
|
}
|
||||||
|
|
||||||
file, err := os.Create(a[0])
|
filePath, err := sshSanitizeFilePath(sandboxDir, a[0])
|
||||||
|
if err != nil {
|
||||||
|
return w.WriteLine(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
file, err := os.Create(filePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
err = w.WriteLine(fmt.Sprintf("Unable to create profile file: %s", err))
|
err = w.WriteLine(fmt.Sprintf("Unable to create profile file: %s", err))
|
||||||
return err
|
return err
|
||||||
@@ -712,12 +752,17 @@ func sshMutexProfileFraction(fs any, a []string, w sshd.StringWriter) error {
|
|||||||
return w.WriteLine(fmt.Sprintf("New value: %d. Old value: %d", newRate, oldRate))
|
return w.WriteLine(fmt.Sprintf("New value: %d. Old value: %d", newRate, oldRate))
|
||||||
}
|
}
|
||||||
|
|
||||||
func sshGetMutexProfile(fs any, a []string, w sshd.StringWriter) error {
|
func sshGetMutexProfile(sandboxDir string, fs any, a []string, w sshd.StringWriter) error {
|
||||||
if len(a) == 0 {
|
if len(a) == 0 {
|
||||||
return w.WriteLine("No path to write profile provided")
|
return w.WriteLine("No path to write profile provided")
|
||||||
}
|
}
|
||||||
|
|
||||||
file, err := os.Create(a[0])
|
filePath, err := sshSanitizeFilePath(sandboxDir, a[0])
|
||||||
|
if err != nil {
|
||||||
|
return w.WriteLine(err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
file, err := os.Create(filePath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return w.WriteLine(fmt.Sprintf("Unable to create profile file: %s", err))
|
return w.WriteLine(fmt.Sprintf("Unable to create profile file: %s", err))
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user