add dns lookup for allowedSubnets feature

2021-05-01 14:10:00 +02:00 · 2021-05-01 14:10:00 +02:00 · 2a3aae74b2
commit 2a3aae74b2
parent 7b7e8e7533
1 changed files with 183 additions and 162 deletions
--- a/app/server/socket.js
+++ b/app/server/socket.js
@ -8,6 +8,9 @@ var debug = require('debug')
 var debugWebSSH2 = require('debug')('WebSSH2')
 var SSH = require('ssh2').Client
 var CIDRMatcher = require('cidr-matcher')
+var validator = require('validator')
+var dns = require('dns')
+var dnsPromises = dns.promises
 // var fs = require('fs')
 // var hostkeys = JSON.parse(fs.readFileSync('./hostkeyhashes.json', 'utf8'))
 var termCols, termRows
@ -16,6 +19,7 @@ var menuData = '<a id="logBtn"><i class="fas fa-clipboard fa-fw"></i> Start Log<

 // public
 module.exports = function socket (socket) {
+  async function setupConnection () {
    // if websocket connection arrives without an express session, kill it
    if (!socket.request.session) {
      socket.emit('401 UNAUTHORIZED')
@ -26,9 +30,23 @@ module.exports = function socket (socket) {

    // If configured, check that requsted host is in a permitted subnet
    if ((((socket.request.session || {}).ssh || {}).allowedSubnets || {}).length && (socket.request.session.ssh.allowedSubnets.length > 0)) {
+      var ipaddress = socket.request.session.ssh.host
+      if (!validator.isIP(ipaddress + '')) {
+        try {
+          var result = await dnsPromises.lookup(socket.request.session.ssh.host)
+          ipaddress = result.address
+        } catch (err) {
+          console.log('WebSSH2 ' + `error: ${err.code} ${err.hostname}`.red.bold +
+            ' user=' + socket.request.session.username.yellow.bold.underline +
+            ' from=' + socket.handshake.address.yellow.bold.underline)
+          socket.emit('ssherror', '404 HOST IP NOT FOUND')
+          socket.disconnect(true)
+          return
+        }
+      }
      var matcher = new CIDRMatcher(socket.request.session.ssh.allowedSubnets)
-    if (!matcher.contains(socket.request.session.ssh.host)) {
-      console.log('WebSSH2 ' + 'error: Requested host outside configured subnets / REJECTED'.red.bold +
+      if (!matcher.contains(ipaddress)) {
+        console.log('WebSSH2 ' + `error: Requested host ${ipaddress} outside configured subnets / REJECTED`.red.bold +
          ' user=' + socket.request.session.username.yellow.bold.underline +
          ' from=' + socket.handshake.address.yellow.bold.underline)
        socket.emit('ssherror', '401 UNAUTHORIZED')
@ -190,4 +208,7 @@ module.exports = function socket (socket) {
      }
      debugWebSSH2('SSHerror ' + myFunc + theError)
    }
+  }
+
+  setupConnection()
 }