Browse Source

use secrets to generate worker id

The worker ID right now is typically based off the address of an object
in memory. This could be guessed. While the worker is tied to a
specific IP, there is a chance an off-path attacker could be hosted
behind the same IP as the caller. They could possibly guess the worker
id of an unclaimed session by observing the sequence of IDs presented to
themselves, leading to them gaining access to an already authenticated
SSH session.

Use the python secrets module to generate a cryptographically secure
token to use as the worker ID. This shoud be much harder to guess.
pull/305/head
Kyle Larose 2 years ago
parent
commit
1b62f379ed
No known key found for this signature in database
GPG Key ID: 92497759CAFD5835
  1. 7
      webssh/worker.py

7
webssh/worker.py

@ -1,4 +1,5 @@
import logging import logging
import secrets
import tornado.websocket import tornado.websocket
from tornado.ioloop import IOLoop from tornado.ioloop import IOLoop
@ -36,7 +37,7 @@ class Worker(object):
self.chan = chan self.chan = chan
self.dst_addr = dst_addr self.dst_addr = dst_addr
self.fd = chan.fileno() self.fd = chan.fileno()
self.id = str(id(self)) self.id = self.gen_id()
self.data_to_dst = [] self.data_to_dst = []
self.handler = None self.handler = None
self.mode = IOLoop.READ self.mode = IOLoop.READ
@ -50,6 +51,10 @@ class Worker(object):
if events & IOLoop.ERROR: if events & IOLoop.ERROR:
self.close(reason='error event occurred') self.close(reason='error event occurred')
@classmethod
def gen_id(cls):
return secrets.token_urlsafe(nbytes=32)
def set_handler(self, handler): def set_handler(self, handler):
if not self.handler: if not self.handler:
self.handler = handler self.handler = handler

Loading…
Cancel
Save