From 9204b748636121503d3b77c4ca4719e958d2f04c Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Tue, 22 Oct 2024 10:49:43 +0800 Subject: [PATCH] fix: update argument handling based on ansible execution tracing Add a bunch of test cases created by sniffing the execution of ssh commands on an openssh client and server. --- go.mod | 1 - go.sum | 4 -- internal/sshserver/sessionhandler.go | 4 +- internal/sshserver/sessionhandler_test.go | 71 +++++++++++++++++++++-- 4 files changed, 69 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 81ef28b..2dc781b 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,6 @@ module github.com/uselagoon/ssh-portal go 1.22.2 require ( - al.essio.dev/pkg/shellescape v1.5.1 github.com/DATA-DOG/go-sqlmock v1.5.2 github.com/MicahParks/keyfunc/v2 v2.1.0 github.com/alecthomas/assert/v2 v2.11.0 diff --git a/go.sum b/go.sum index cc9811e..cf41361 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,3 @@ -al.essio.dev/pkg/shellescape v1.5.1 h1:86HrALUujYS/h+GtqoB26SBEdkWfmMI6FubjXlsXyho= -al.essio.dev/pkg/shellescape v1.5.1/go.mod h1:6sIqp7X2P6mThCQ7twERpZTuigpr6KbZWtls1U8I890= filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= @@ -69,8 +67,6 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM= github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= -github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= -github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.6.1-0.20240806143717-0e97ed3b5379 h1:9pvPp/2VCtCB2xdSUCaKe1VKCzVHMR+GGgIAVLfQxIs= github.com/google/uuid v1.6.1-0.20240806143717-0e97ed3b5379/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA= diff --git a/internal/sshserver/sessionhandler.go b/internal/sshserver/sessionhandler.go index 4966bc3..5da1e3b 100644 --- a/internal/sshserver/sessionhandler.go +++ b/internal/sshserver/sessionhandler.go @@ -5,9 +5,9 @@ import ( "fmt" "io" "log/slog" + "strings" "time" - "al.essio.dev/pkg/shellescape" "github.com/gliderlabs/ssh" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" @@ -86,7 +86,7 @@ func getSSHIntent(sftp bool, cmd []string) []string { // if there is a command, wrap it in a shell the way openssh does // https://github.com/openssh/openssh-portable/blob/ // 73dcca12115aa12ed0d123b914d473c384e52651/session.c#L1705-L1713 - return []string{"sh", "-c", shellescape.QuoteCommand(cmd)} + return []string{"sh", "-c", strings.Join(cmd, " ")} } // sessionHandler returns a ssh.Handler which connects the ssh session to the diff --git a/internal/sshserver/sessionhandler_test.go b/internal/sshserver/sessionhandler_test.go index 7c25f66..261dcf4 100644 --- a/internal/sshserver/sessionhandler_test.go +++ b/internal/sshserver/sessionhandler_test.go @@ -43,7 +43,7 @@ func TestExec(t *testing.T) { user: "project-test", deployment: "cli", rawCommand: []string{"/bin/sh", "-c", "( echo foo; echo bar; echo baz ) | tail -n2"}, - command: []string{"sh", "-c", "/bin/sh -c '( echo foo; echo bar; echo baz ) | tail -n2'"}, + command: []string{"sh", "-c", "/bin/sh -c ( echo foo; echo bar; echo baz ) | tail -n2"}, sftp: false, logAccessEnabled: false, pty: false, @@ -52,7 +52,7 @@ func TestExec(t *testing.T) { user: "project-test", deployment: "cli", rawCommand: []string{"/bin/sh", "-c", "sleep 3 & echo $(pgrep sleep)"}, - command: []string{"sh", "-c", "/bin/sh -c 'sleep 3 & echo $(pgrep sleep)'"}, + command: []string{"sh", "-c", "/bin/sh -c sleep 3 & echo $(pgrep sleep)"}, sftp: false, logAccessEnabled: false, pty: false, @@ -61,7 +61,7 @@ func TestExec(t *testing.T) { user: "project-test", deployment: "cli", rawCommand: []string{"/bin/sh", "-c", "sleep 3 & echo $( pgrep sleep )"}, - command: []string{"sh", "-c", "/bin/sh -c 'sleep 3 & echo $( pgrep sleep )'"}, + command: []string{"sh", "-c", "/bin/sh -c sleep 3 & echo $( pgrep sleep )"}, sftp: false, logAccessEnabled: false, pty: false, @@ -70,7 +70,70 @@ func TestExec(t *testing.T) { user: "project-test", deployment: "cli", rawCommand: []string{"/bin/sh", "-c", "echo $$ $USER"}, - command: []string{"sh", "-c", "/bin/sh -c 'echo $$ $USER'"}, + command: []string{"sh", "-c", "/bin/sh -c echo $$ $USER"}, + sftp: false, + logAccessEnabled: false, + pty: false, + }, + "shell variables 2": { + user: "project-test", + deployment: "cli", + rawCommand: []string{"echo", "$(( $$ + 1 ))"}, + command: []string{"sh", "-c", "echo $(( $$ + 1 ))"}, + sftp: false, + logAccessEnabled: false, + pty: false, + }, + "ansible 1": { + user: "project-test", + deployment: "cli", + rawCommand: []string{"/bin/sh -c '( umask 77 && mkdir -p \"` echo /tmp `\"&& mkdir \"` echo /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780 `\" && echo ansible-tmp-1729564333.3484864-620266-10397749948780=\"` echo /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780 `\" ) && sleep 0'"}, + command: []string{"sh", "-c", "/bin/sh -c '( umask 77 && mkdir -p \"` echo /tmp `\"&& mkdir \"` echo /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780 `\" && echo ansible-tmp-1729564333.3484864-620266-10397749948780=\"` echo /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780 `\" ) && sleep 0'"}, + sftp: false, + logAccessEnabled: false, + pty: false, + }, + "ansible 2": { + user: "project-test", + deployment: "cli", + rawCommand: []string{"/bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '\"'\"'python3.12'\"'\"'; command -v '\"'\"'python3.11'\"'\"'; command -v '\"'\"'python3.10'\"'\"'; command -v '\"'\"'python3.9'\"'\"'; command -v '\"'\"'python3.8'\"'\"'; command -v '\"'\"'python3.7'\"'\"'; command -v '\"'\"'/usr/bin/python3'\"'\"'; command -v '\"'\"'python3'\"'\"'; echo ENDFOUND && sleep 0'"}, + command: []string{"sh", "-c", "/bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '\"'\"'python3.12'\"'\"'; command -v '\"'\"'python3.11'\"'\"'; command -v '\"'\"'python3.10'\"'\"'; command -v '\"'\"'python3.9'\"'\"'; command -v '\"'\"'python3.8'\"'\"'; command -v '\"'\"'python3.7'\"'\"'; command -v '\"'\"'/usr/bin/python3'\"'\"'; command -v '\"'\"'python3'\"'\"'; echo ENDFOUND && sleep 0'"}, + sftp: false, + logAccessEnabled: false, + pty: false, + }, + "ansible 3": { + user: "project-test", + deployment: "cli", + rawCommand: []string{"/bin/sh -c '/usr/bin/python3.9 && sleep 0'"}, + command: []string{"sh", "-c", "/bin/sh -c '/usr/bin/python3.9 && sleep 0'"}, + sftp: false, + logAccessEnabled: false, + pty: false, + }, + "ansible 4": { + user: "project-test", + deployment: "cli", + rawCommand: []string{"/bin/sh -c 'chmod u+x /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780/ /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780/AnsiballZ_command.py && sleep 0'"}, + command: []string{"sh", "-c", "/bin/sh -c 'chmod u+x /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780/ /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780/AnsiballZ_command.py && sleep 0'"}, + sftp: false, + logAccessEnabled: false, + pty: false, + }, + "ansible 5": { + user: "project-test", + deployment: "cli", + rawCommand: []string{"/bin/sh -c '/usr/bin/python3.9 /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780/AnsiballZ_command.py && sleep 0'"}, + command: []string{"sh", "-c", "/bin/sh -c '/usr/bin/python3.9 /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780/AnsiballZ_command.py && sleep 0'"}, + sftp: false, + logAccessEnabled: false, + pty: false, + }, + "ansible 6": { + user: "project-test", + deployment: "cli", + rawCommand: []string{"/bin/sh -c 'rm -f -r /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780/ > /dev/null 2>&1 && sleep 0'"}, + command: []string{"sh", "-c", "/bin/sh -c 'rm -f -r /tmp/ansible-tmp-1729564333.3484864-620266-10397749948780/ > /dev/null 2>&1 && sleep 0'"}, sftp: false, logAccessEnabled: false, pty: false,