jinql
/
webssh
mirror of https://github.com/huashengdun/webssh
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

use secrets to generate worker id 

The worker ID right now is typically based off the address of an object
in memory. This could be guessed. While the worker is tied to a
specific IP, there is a chance an off-path attacker could be hosted
behind the same IP as the caller. They could possibly guess the worker
id of an unclaimed session by observing the sequence of IDs presented to
themselves, leading to them gaining access to an already authenticated
SSH session.

Use the python secrets module to generate a cryptographically secure
token to use as the worker ID. This shoud be much harder to guess.
pull/305/head
Kyle Larose 2022-11-17 15:26:05 -05:00
parent ee24eb7f65
commit 1b62f379ed
No known key found for this signature in database
GPG Key ID: 92497759CAFD5835
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
webssh/worker.py
View File

@ -1,4 +1,5 @@
import logging import logging
import secrets
import tornado.websocket import tornado.websocket
from tornado.ioloop import IOLoop from tornado.ioloop import IOLoop
@ -36,7 +37,7 @@ class Worker(object):
self.chan = chan self.chan = chan
self.dst_addr = dst_addr self.dst_addr = dst_addr
self.fd = chan.fileno() self.fd = chan.fileno()
self.id = str(id(self)) self.id = self.gen_id()
self.data_to_dst = [] self.data_to_dst = []
self.handler = None self.handler = None
self.mode = IOLoop.READ self.mode = IOLoop.READ
@ -50,6 +51,10 @@ class Worker(object):
if events & IOLoop.ERROR: if events & IOLoop.ERROR:
self.close(reason='error event occurred') self.close(reason='error event occurred')
@classmethod
def gen_id(cls):
return secrets.token_urlsafe(nbytes=32)
def set_handler(self, handler): def set_handler(self, handler):
if not self.handler: if not self.handler:
self.handler = handler self.handler = handler