github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 16:48:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden SSH target handling (#4001)

Browse Source 
Thanks @YLChen-007.

Co-authored-by: Edward-x <YLChen-007@users.noreply.github.com>
This commit is contained in:
Peter Steinberger
2026-01-29 16:33:36 +00:00
parent 4b5514a259
commit 06289b36da
8 changed files with 82 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/infra/ssh-tunnel.ts
View File

@@ -41,10 +41,14 @@ export function parseSshTarget(raw: string): SshParsedTarget | null {
const portRaw = hostPart.slice(colonIdx + 1).trim();
const port = Number.parseInt(portRaw, 10);
if (!host || !Number.isFinite(port) || port <= 0) return null;
// Security: Reject hostnames starting with '-' to prevent argument injection
if (host.startsWith("-")) return null;
return { user: userPart, host, port };
}
if (!hostPart) return null;
// Security: Reject hostnames starting with '-' to prevent argument injection
if (hostPart.startsWith("-")) return null;
return { user: userPart, host: hostPart, port: 22 };
}
@@ -134,7 +138,8 @@ export async function startSshPortForward(opts: {
if (opts.identity?.trim()) {
args.push("-i", opts.identity.trim());
}
args.push(userHost);
// Security: Use '--' to prevent userHost from being interpreted as an option
args.push("--", userHost);
const stderr: string[] = [];
const child = spawn("/usr/bin/ssh", args, {