grim/hgkeeper
Clone
Summary
Browse
Changes
Graph
Normalize paths before passing them to the authorization checker
16 months ago, Gary Kramlich
e33f7739ab49
Normalize paths before passing them to the authorization checker
This bug allowed attackers to bypass deny rules by adding a trailing / to the
repository which depending on the policy could grant them access to said
repository.
package
http
import
(
"fmt"
"net/http"
"strings"
log
"github.com/sirupsen/logrus"
"keep.imfreedom.org/grim/hgkeeper/access"
)
func
authorizedKeysHandler
(
externalHostname
,
externalPort
string
)
http
.
Handler
{
return
http
.
HandlerFunc
(
func
(
w
http
.
ResponseWriter
,
r
*
http
.
Request
)
{
fp
:=
r
.
URL
.
Query
().
Get
(
"fp"
)
if
fp
==
""
{
w
.
WriteHeader
(
http
.
StatusBadRequest
)
fmt
.
Fprintf
(
w
,
"missing fp parameter"
)
return
}
pubkey
,
err
:=
access
.
PubkeyFromFingerprint
(
fp
)
if
err
!=
nil
{
w
.
WriteHeader
(
http
.
StatusNotFound
)
fmt
.
Fprintf
(
w
,
"failed to find fingerprint %q"
,
fp
)
log
.
Errorf
(
"failed to find fingerprint for %s: %v"
,
fp
,
err
)
return
}
options
:=
[]
string
{
fmt
.
Sprintf
(
"command=\"ssh -T %s -p %s $SSH_ORIGINAL_COMMAND\""
,
externalHostname
,
externalPort
,
),
"restrict"
,
"agent-forwarding"
,
}
w
.
WriteHeader
(
http
.
StatusOK
)
fmt
.
Fprintf
(
w
,
fmt
.
Sprintf
(
"%s %s"
,
strings
.
Join
(
options
,
","
),
pubkey
))
})
}