ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-09-20 15:05:58 +08:00
Code Issues Packages Projects Releases Wiki Activity
the-bastion/bin/plugin/open/scp
Stéphane Lesimple 521836b17b fix: rare race condition introduced by b7f4909 
Under some specific conditions, the execute() call could get deadlocked with the program it started,
both waiting for each other to read or write data. This is easier to reproduce with the `scp` plugin,
where the transfer would just stall. Introduce an additional intermediate buffer to avoid this race condition.
2022-11-15 17:34:47 +01:00

227 lines
7.3 KiB
Perl
Executable file
Raw Blame History

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use MIME::Base64;
use IO::Compress::Gzip qw{ gzip };
use Sys::Hostname ();
use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT );
# stdout is used by scp, so ensure we output everything through stderr
local $ENV{'FORCE_STDERR'} = 1;
# don't output fancy stuff, this can get digested by scp and we get garbage output
local $ENV{'PLUGIN_QUIET'} = 1;
my ($scpCmd);
my $remainingOptions = OVH::Bastion::Plugin::begin(
argv => \@ARGV,
header => undef,
options => {'scp-cmd=s' => \$scpCmd},
help => \&help,
);
sub help {
osh_header("scp");
my $config = OVH::Bastion::load_configuration();
$config or osh_exit $config;
my $bastionCommand = $config->value->{'bastionCommand'};
my $bastionName = $config->value->{'bastionName'};
$bastionCommand =~ s/USER|ACCOUNT/$self/g;
$bastionCommand =~ s/CACHENAME|BASTIONNAME/$bastionName/g;
my $hostname = Sys::Hostname::hostname();
$bastionCommand =~ s/HOSTNAME/$hostname/g;
# for scp, if the bastionCommand contains -t, we need to get rid of it
$bastionCommand =~ s/ -t( |$)/$1/;
# same thing for --
$bastionCommand =~ s/ --/ /;
my $script = <<"EOF";
#! /bin/sh
#scpwrapper v1.0
while ! [ "\$1" = "--" ] ; do
if [ "\$1" = "-l" ] ; then
remoteuser="--user \$2"
shift 2
elif [ "\$1" = "-p" ] ; then
remoteport="--port \$2"
shift 2
else
sshcmdline="\$sshcmdline \$1"
shift
fi
done
host="\$2"
scpcmd=`echo "\$3" | sed -e 's/#/##/g;s/ /#/g'`
exec $bastionCommand -T \$sshcmdline -- \$remoteuser \$remoteport --host \$host --osh scp --scp-cmd "\$scpcmd"
EOF
my $compressed = '';
gzip \$script => \$compressed;
my $base64 = encode_base64($compressed);
chomp $base64;
osh_info <<"EOF";
Description:
Transfers files to/from a host through the bastion
Usage:
To use scp through the bastion, you need a helper script to use with
your scp client. It'll be specific to your account, don't share it with
others! To download your customized script, copy/paste this command:
EOF
print "\necho \"$base64\"|base64 -d|gunzip -c > ~/scp_$bastionName && chmod +x ~/scp_$bastionName\n\n";
osh_info <<"EOF";
To use scp through this bastion, add `-S ~/scp_$bastionName` to your regular scp command.
For example, to upload a file:
\$ scp -S ~/scp_$bastionName localfile login\@server:/dest/folder/
Or to recursively download a folder contents:
\$ scp -S ~/scp_$bastionName -r login\@server:/src/folder/ /tmp/
Please note that you need to be granted for uploading or downloading files
with scp to/from the remote host, in addition to having the right to SSH to it.
For a group, the right should be added with --scpup/--scpdown of the groupAddServer command.
For a personal access, the right should be added with --scpup/--scpdown of the selfAddPersonalAccess command.
EOF
osh_ok({script => $base64, "content-encoding" => 'base64-gzip'});
return 0;
}
#
# code
#
my $fnret;
if (not $host) {
help();
osh_exit;
}
if (not $ip) {
# note that the calling-side scp will not passthrough this exit code, but most probably "1" instead.
osh_exit 'ERR_HOST_NOT_FOUND', "Sorry, couldn't resolve the host you specified ('$host'), aborting.";
}
my $machine = $ip;
$machine = "$user\@$ip" if $user;
$port ||= 22; # scp uses 22 if not specified, so we need to test access to that port and not any port (aka undef)
$user ||= $self; # same for user
$machine .= ":$port";
# decode the passed scp command
my $decoded = $scpCmd;
$decoded =~ s/(?<!#)#(?!#)/ /g;
$decoded =~ s/##/#/g;
if ($decoded !~ /^(?:scp )(?:.*)-([tf]) (?:.+)$/) {
# security
osh_exit 'ERR_SECURITY_VIOLATION', "scp command format unrecognized";
}
my $userToCheck = $1 eq 't' ? '!scpupload' : '!scpdownload'; ## no critic (CaptureWithoutTest) ## false positive
my %keys;
osh_debug("Checking access 1/2 of $self to $machine...");
$fnret = OVH::Bastion::is_access_granted(
account => $self,
user => $user,
ipfrom => $ENV{'OSH_IP_FROM'},
ip => $ip,
port => $port,
details => 1
);
if (not $fnret) {
osh_exit 'ERR_ACCESS_DENIED', "Sorry, but you don't seem to have access to $machine";
}
# get the keys we would try
foreach my $access (@{$fnret->value || []}) {
foreach my $key (@{$access->{'sortedKeys'} || []}) {
my $keyfile = $access->{'keys'}{$key}{'fullpath'};
$keys{$keyfile}++ if -r $keyfile;
osh_debug("Checking access 1/2 keyfile: $keyfile");
}
}
osh_debug("Checking access 2/2 of $self to $userToCheck of $machine...");
$fnret = OVH::Bastion::is_access_granted(
account => $self,
user => $userToCheck,
ipfrom => $ENV{'OSH_IP_FROM'},
ip => $ip,
port => $port,
exactUserMatch => 1,
details => 1
);
if (not $fnret) {
osh_exit 'ERR_ACCESS_DENIED',
"Sorry, but even if you have ssh access to $machine, you still need to be granted specifically for scp";
}
# get the keys we would try too
foreach my $access (@{$fnret->value || []}) {
foreach my $key (@{$access->{'sortedKeys'} || []}) {
my $keyfile = $access->{'keys'}{$key}{'fullpath'};
$keys{$keyfile}++ if -r $keyfile;
osh_debug("Checking access 2/2 keyfile: $keyfile");
}
}
# now build the command
my @cmd = qw{ ssh -x -oForwardAgent=no -oPermitLocalCommand=no -oClearAllForwardings=yes };
push @cmd, ('-p', $port) if $port;
push @cmd, ('-l', $user) if $user;
my $atleastonekey = 0;
foreach my $keyfile (keys %keys) {
# only use the key if it has been seen in both allow_deny() calls, this is to avoid
# a security bypass where a user would have group access to a server, but not to the
# !scpupload special user, and we would add himself this access through selfAddPrivateAccess.
# in that case both allow_deny would return OK, but with different keys.
# we'll only use the keys that matched BOTH calls.
next unless $keys{$keyfile} == 2;
push @cmd, ('-i', $keyfile);
$atleastonekey = 1;
}
if (not $atleastonekey) {
osh_exit('KO_ACCESS_DENIED',
"Sorry, you seem to have access through ssh and through scp but by different and distinct means (distinct keys)."
. " The intersection between your rights for ssh and for scp needs to be at least one.");
}
# basic mitigation for CVE-2020-15778
if ($decoded =~ m{[\`\$\;><\|\&]}) {
osh_exit('ERR_SECURITY_VIOLATION', "Invalid characters detected, bailing out");
}
push @cmd, "--", $ip, $decoded;
print STDERR ">>> Hello $self, transferring your file through the bastion "
. ($userToCheck eq '!scpupload' ? 'to' : 'from')
. " $machine...\n";
#print STDERR join('^', @cmd)."\n";
$fnret = OVH::Bastion::execute(cmd => \@cmd, expects_stdin => 1, is_binary => 1);
if ($fnret->err ne 'OK') {
osh_exit 'ERR_TRANSFER_FAILED', "Error launching transfer: $fnret";
}
print STDERR ">>> Done, "
. $fnret->value->{'bytesnb'}{'stdin'}
. " bytes uploaded, "
. $fnret->value->{'bytesnb'}{'stdout'}
. " bytes downloaded.\n";
if ($fnret->value->{'sysret'} != 0) {
print STDERR ">>> On bastion side, scp exited with return code " . $fnret->value->{'sysret'} . ".\n";
}
# don't use osh_exit() to avoid getting a footer
exit OVH::Bastion::EXIT_OK;
Reference in a new issue View git blame Copy permalink