Skip to content

Commit

Permalink
Changes so 'default' is not in host_whitelist
Browse files Browse the repository at this point in the history
  • Loading branch information
@matthu017
matthu017 committed Jul 1, 2020
1 parent 5e59460 commit 4435b85
Showing 1 changed file with 17 additions and 14 deletions.
31 changes: 17 additions & 14 deletions apps/shell/app.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ let host_whitelist = new Set;
if (process.env.SSHHOST_WHITELIST){
host_whitelist = new Set(process.env.SSHHOST_WHITELIST.split(':'));
}

let default_sshhost;
glob.sync(path.join((process.env.OOD_CLUSTERS || '/etc/ood/config/clusters.d'), '*.y*ml'))
.map(yml => yaml.safeLoad(fs.readFileSync(yml)))
Expand All @@ -72,24 +73,26 @@ glob.sync(path.join((process.env.OOD_CLUSTERS || '/etc/ood/config/clusters.d'),
host_whitelist.add(host);
if (isDefault) default_sshhost = host;
});
if (process.env.DEFAULT_SSHHOST || default_sshhost) host_whitelist.add('default');

default_sshhost = process.env.DEFAULT_SSHHOST || default_sshhost;
function host_and_dir_from_url(url){
let match = url.match(host_path_rx),
hostname = match[1] === "default" ? default_sshhost : match[1],
directory = match[2] ? decodeURIComponent(match[2]) : null;

return [hostname, directory];
}

wss.on('connection', function connection (ws, req) {
var match,
dir,
var dir,
term,
args,
host = process.env.DEFAULT_SSHHOST || default_sshhost,
host,
cmd = process.env.OOD_SSH_WRAPPER || 'ssh';

console.log('Connection established');

// Determine host and dir from request URL
if (match = req.url.match(process.env.PASSENGER_BASE_URI + host_path_rx)) {
if (match[1] !== 'default') host = match[1];
if (match[2]) dir = decodeURIComponent(match[2]);
}

[host, dir] = host_and_dir_from_url(req.url);
args = dir ? [host, '-t', 'cd \'' + dir.replace(/\'/g, "'\\''") + '\' ; exec ${SHELL} -l'] : [host];

process.env.LANG = 'en_US.UTF-8'; // this patch (from b996d36) lost when removing wetty (2c8a022)
Expand Down Expand Up @@ -157,9 +160,9 @@ function default_server_origin(headers){
server.on('upgrade', function upgrade(request, socket, head) {
const requestToken = new URLSearchParams(url.parse(request.url).search).get('csrf'),
client_origin = request.headers['origin'],
server_origin = custom_server_origin(default_server_origin(request.headers)),
match = request.url.match(host_path_rx),
host_in_whitelist = host_whitelist.has(match[1]);
server_origin = custom_server_origin(default_server_origin(request.headers));
var host, dir;
[host, dir] = host_and_dir_from_url(request.url);

if (client_origin &&
client_origin.startsWith('http') &&
Expand All @@ -183,7 +186,7 @@ server.on('upgrade', function upgrade(request, socket, head) {
].join('\r\n') + '\r\n\r\n');

socket.destroy();
} else if (!host_in_whitelist){ // host not in whitelist
} else if (!host_whitelist.has(host)){ // host not in whitelist
socket.write([
'HTTP/1.1 401 Unauthorized',
'Content-Type: text/html; charset=UTF-8',
Expand Down

0 comments on commit 4435b85

Please sign in to comment.