diff options
Diffstat (limited to 'vendor/github.com/shazow/ssh-chat')
-rw-r--r-- | vendor/github.com/shazow/ssh-chat/internal/sanitize/sanitize.go | 28 | ||||
-rw-r--r-- | vendor/github.com/shazow/ssh-chat/sshd/auth.go | 11 |
2 files changed, 34 insertions, 5 deletions
diff --git a/vendor/github.com/shazow/ssh-chat/internal/sanitize/sanitize.go b/vendor/github.com/shazow/ssh-chat/internal/sanitize/sanitize.go new file mode 100644 index 00000000..ed532c97 --- /dev/null +++ b/vendor/github.com/shazow/ssh-chat/internal/sanitize/sanitize.go @@ -0,0 +1,28 @@ +package sanitize + +import "regexp" + +var reStripName = regexp.MustCompile("[^\\w.-]") + +const maxLength = 16 + +// Name returns a name with only allowed characters and a reasonable length +func Name(s string) string { + s = reStripName.ReplaceAllString(s, "") + nameLength := maxLength + if len(s) <= maxLength { + nameLength = len(s) + } + s = s[:nameLength] + return s +} + +var reStripData = regexp.MustCompile("[^[:ascii:]]|[[:cntrl:]]") + +// Data returns a string with only allowed characters for client-provided metadata inputs. +func Data(s string, maxlen int) string { + if len(s) > maxlen { + s = s[:maxlen] + } + return reStripData.ReplaceAllString(s, "") +} diff --git a/vendor/github.com/shazow/ssh-chat/sshd/auth.go b/vendor/github.com/shazow/ssh-chat/sshd/auth.go index 2fc86fa8..afa7271a 100644 --- a/vendor/github.com/shazow/ssh-chat/sshd/auth.go +++ b/vendor/github.com/shazow/ssh-chat/sshd/auth.go @@ -6,6 +6,7 @@ import ( "errors" "net" + "github.com/shazow/ssh-chat/internal/sanitize" "golang.org/x/crypto/ssh" ) @@ -13,8 +14,8 @@ import ( type Auth interface { // Whether to allow connections without a public key. AllowAnonymous() bool - // Given address and public key, return if the connection should be permitted. - Check(net.Addr, ssh.PublicKey) (bool, error) + // Given address and public key and client agent string, returns nil if the connection should be allowed. + Check(net.Addr, ssh.PublicKey, string) error } // MakeAuth makes an ssh.ServerConfig which performs authentication against an Auth implementation. @@ -23,8 +24,8 @@ func MakeAuth(auth Auth) *ssh.ServerConfig { NoClientAuth: false, // Auth-related things should be constant-time to avoid timing attacks. PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { - ok, err := auth.Check(conn.RemoteAddr(), key) - if !ok { + err := auth.Check(conn.RemoteAddr(), key, sanitize.Data(string(conn.ClientVersion()), 64)) + if err != nil { return nil, err } perm := &ssh.Permissions{Extensions: map[string]string{ @@ -36,7 +37,7 @@ func MakeAuth(auth Auth) *ssh.ServerConfig { if !auth.AllowAnonymous() { return nil, errors.New("public key authentication required") } - _, err := auth.Check(conn.RemoteAddr(), nil) + err := auth.Check(conn.RemoteAddr(), nil, sanitize.Data(string(conn.ClientVersion()), 64)) return nil, err }, } |