df11e54788
Security fix: Disallow hostname starting with a dash, which would get passed to ssh and be treated an option. This could be used by an attacker who provides a crafted ssh url (for eg a git remote) to execute arbitrary code via ssh -oProxyCommand. No CVE has yet been assigned for this hole. The same class of security hole recently affected git itself, CVE-2017-1000117. Method: Identified all places where ssh is run, by git grep '"ssh"' Converted them all to use a SshHost, if they did not already, for specifying the hostname. SshHost was made a data type with a smart constructor, which rejects hostnames starting with '-'. Note that git-annex already contains extensive use of Utility.SafeCommand, which fixes a similar class of problem where a filename starting with a dash gets passed to a program which treats it as an option. This commit was sponsored by Jochen Bartl on Patreon.
29 lines
936 B
Haskell
29 lines
936 B
Haskell
{- ssh hostname sanitization
|
|
-
|
|
- When constructing a ssh command with a hostname that may be controlled
|
|
- by an attacker, prevent the hostname from starting with "-",
|
|
- to prevent tricking ssh into arbitrary command execution via
|
|
- eg "-oProxyCommand="
|
|
-
|
|
- Copyright 2017 Joey Hess <id@joeyh.name>
|
|
-
|
|
- License: BSD-2-clause
|
|
-}
|
|
|
|
module Utility.SshHost (SshHost, mkSshHost, fromSshHost) where
|
|
|
|
newtype SshHost = SshHost String
|
|
|
|
-- | Smart constructor for a legal hostname or IP address.
|
|
-- In some cases, it may be prefixed with "user@" to specify the remote
|
|
-- user at the host.
|
|
--
|
|
-- For now, we only filter out the problem ones, because determining an
|
|
-- actually legal hostnames is quite complicated.
|
|
mkSshHost :: String -> Either String SshHost
|
|
mkSshHost h@('-':_) = Left $
|
|
"rejecting ssh hostname that starts with '-' : " ++ h
|
|
mkSshHost h = Right (SshHost h)
|
|
|
|
fromSshHost :: SshHost -> String
|
|
fromSshHost (SshHost h) = h
|