fix: prevent SSH destinations from being parsed as options#4042
Conversation
- SSH 目标来自用户配置,以 - 开头时会被 OpenSSH 当作命令行选项 - 统一加入 -- 可保留现有参数顺序,并同时覆盖普通命令和端口转发
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ApprovabilityVerdict: Needs human review This PR addresses a command injection vulnerability by adding '--' delimiters before user-controlled SSH destinations. Security-related changes warrant human review to verify the fix is complete and correctly applied. You can customize Macroscope's approvability policy. Learn more. |
What Changed
--) before user-controlled destinations in both normal commands and tunnel processes.-oProxyCommand=....sh -s --command and tunnel stop-command assertions distinct.Why
SSH host aliases come from user configuration. Without an option terminator, an alias that begins with
-can be parsed as another OpenSSH option rather than as the destination. That can unexpectedly change SSH behavior.Placing
--immediately before the destination preserves the existing SSH arguments and ensures the destination is treated only as a positional value.Verification
vp check(passes; 9 existing React warnings)vp run typecheckvp test packages/ssh/src/command.test.ts packages/ssh/src/tunnel.test.ts(20 tests)Checklist
Note
Medium Risk
Small argv change in security-sensitive SSH spawning paths; behavior should be safer but any OpenSSH/version quirk around
--with remote commands would affect all SSH usage.Overview
Inserts OpenSSH’s
--option terminator immediately before user-configured host destinations when spawningsshfor remote commands and for-Nport-forward tunnels, so values like-oProxyCommand=…are parsed as the destination (and remote command args) instead of as extra SSH options.Adds a regression test that asserts the spawned argv places
--before a malicious-looking alias and anyremoteCommandArgs. Tunnel integration tests are tightened to distinguishsh -s --launch scripts from othershinvocations and to assert tunnel commands end with--plus the expecteduser@hostspec.Reviewed by Cursor Bugbot for commit 97aff10. Bugbot is set up for automated code reviews on this repo. Configure here.
Note
Prevent SSH destinations from being parsed as options by inserting
--before host argsInserts
--into the SSH args list immediately before the destination host in bothcommand.tsandtunnel.ts, ensuring user-controlled host values are never interpreted as SSH options. Tests incommand.test.tsandtunnel.test.tsare updated to assert the presence and position of the separator.📊 Macroscope summarized 97aff10. 2 files reviewed, 0 issues evaluated, 0 issues filtered, 0 comments posted
🗂️ Filtered Issues
No issues evaluated.