feat: pull in #234 staged for 0.4.0 #242

app/server/socket.js

@@ -9,6 +9,9 @@ const debug = require('debug');
 const debugWebSSH2 = require('debug')('WebSSH2');
 const SSH = require('ssh2').Client;
 const CIDRMatcher = require('cidr-matcher');
+const validator = require('validator');
+const dnsPromises = require('dns').promises;
+
 // var fs = require('fs')
 // var hostkeys = JSON.parse(fs.readFileSync('./hostkeyhashes.json', 'utf8'))
 let termCols;
@@ -16,6 +19,7 @@ let termRows;
 
 // public
 module.exports = function appSocket(socket) {
+  async function setupConnection() {
     // if websocket connection arrives without an express session, kill it
     if (!socket.request.session) {
       socket.emit('401 UNAUTHORIZED');
@@ -70,13 +74,32 @@ module.exports = function appSocket(socket) {
       (((socket.request.session || {}).ssh || {}).allowedSubnets || {}).length &&
       socket.request.session.ssh.allowedSubnets.length > 0
     ) {
-    const matcher = new CIDRMatcher(socket.request.session.ssh.allowedSubnets);
+      let ipaddress = socket.request.session.ssh.host;
-    if (!matcher.contains(socket.request.session.ssh.host)) {
+      if (!validator.isIP(`${ipaddress}`)) {
+        try {
+          const result = await dnsPromises.lookup(socket.request.session.ssh.host);
+          ipaddress = result.address;
+        } catch (err) {
           console.error(
-        `WebSSH2 ${'error: Requested host outside configured subnets / REJECTED'.red.bold} user=${
+            `WebSSH2 ${`error: ${err.code} ${err.hostname}`.red.bold} user=${
               socket.request.session.username.yellow.bold.underline
             } from=${socket.handshake.address.yellow.bold.underline}`
           );
+          socket.emit('ssherror', '404 HOST IP NOT FOUND');
+          socket.disconnect(true);
+          return;
+        }
+      }
+
+      const matcher = new CIDRMatcher(socket.request.session.ssh.allowedSubnets);
+      if (!matcher.contains(ipaddress)) {
+        console.error(
+          `WebSSH2 ${
+            `error: Requested host ${ipaddress} outside configured subnets / REJECTED`.red.bold
+          } user=${socket.request.session.username.yellow.bold.underline} from=${
+            socket.handshake.address.yellow.bold.underline
+          }`
+        );
         socket.emit('ssherror', '401 UNAUTHORIZED');
         socket.disconnect(true);
         return;
@@ -234,4 +257,6 @@ module.exports = function appSocket(socket) {
       socket.request.session.destroy();
       socket.disconnect(true);
     }
+  }
+  setupConnection();
 };