Fabio/webssh2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add dns lookup for allowedSubnets feature

Browse source
This commit is contained in:
zwiy 2021-05-01 14:10:00 +02:00
parent 7b7e8e7533
commit 2a3aae74b2
1 changed files with 183 additions and 162 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
app/server/socket.js
View file

@ -8,6 +8,9 @@ var debug = require('debug')
var debugWebSSH2 = require('debug')('WebSSH2') var debugWebSSH2 = require('debug')('WebSSH2')
var SSH = require('ssh2').Client var SSH = require('ssh2').Client
var CIDRMatcher = require('cidr-matcher') var CIDRMatcher = require('cidr-matcher')
var validator = require('validator')
var dns = require('dns')
var dnsPromises = dns.promises
// var fs = require('fs') // var fs = require('fs')
// var hostkeys = JSON.parse(fs.readFileSync('./hostkeyhashes.json', 'utf8')) // var hostkeys = JSON.parse(fs.readFileSync('./hostkeyhashes.json', 'utf8'))
var termCols, termRows var termCols, termRows
@ -16,6 +19,7 @@ var menuData = '<a id="logBtn"><i class="fas fa-clipboard fa-fw"></i> Start Log<
// public // public
module.exports = function socket (socket) { module.exports = function socket (socket) {
async function setupConnection () {
// if websocket connection arrives without an express session, kill it // if websocket connection arrives without an express session, kill it
if (!socket.request.session) { if (!socket.request.session) {
socket.emit('401 UNAUTHORIZED') socket.emit('401 UNAUTHORIZED')
@ -26,9 +30,23 @@ module.exports = function socket (socket) {
// If configured, check that requsted host is in a permitted subnet // If configured, check that requsted host is in a permitted subnet
if ((((socket.request.session || {}).ssh || {}).allowedSubnets || {}).length && (socket.request.session.ssh.allowedSubnets.length > 0)) { if ((((socket.request.session || {}).ssh || {}).allowedSubnets || {}).length && (socket.request.session.ssh.allowedSubnets.length > 0)) {
var ipaddress = socket.request.session.ssh.host
if (!validator.isIP(ipaddress + '')) {
try {
var result = await dnsPromises.lookup(socket.request.session.ssh.host)
ipaddress = result.address
} catch (err) {
console.log('WebSSH2 ' + `error: ${err.code} ${err.hostname}`.red.bold +
' user=' + socket.request.session.username.yellow.bold.underline +
' from=' + socket.handshake.address.yellow.bold.underline)
socket.emit('ssherror', '404 HOST IP NOT FOUND')
socket.disconnect(true)
return
}
}
var matcher = new CIDRMatcher(socket.request.session.ssh.allowedSubnets) var matcher = new CIDRMatcher(socket.request.session.ssh.allowedSubnets)
if (!matcher.contains(socket.request.session.ssh.host)) { if (!matcher.contains(ipaddress)) {
console.log('WebSSH2 ' + 'error: Requested host outside configured subnets / REJECTED'.red.bold + console.log('WebSSH2 ' + `error: Requested host ${ipaddress} outside configured subnets / REJECTED`.red.bold +
' user=' + socket.request.session.username.yellow.bold.underline + ' user=' + socket.request.session.username.yellow.bold.underline +
' from=' + socket.handshake.address.yellow.bold.underline) ' from=' + socket.handshake.address.yellow.bold.underline)
socket.emit('ssherror', '401 UNAUTHORIZED') socket.emit('ssherror', '401 UNAUTHORIZED')
@ -191,3 +209,6 @@ module.exports = function socket (socket) {
debugWebSSH2('SSHerror ' + myFunc + theError) debugWebSSH2('SSHerror ' + myFunc + theError)
} }
} }
setupConnection()
}