[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use secrets to generate worker id #305

Merged
merged 1 commit into from
Nov 21, 2022
Merged

use secrets to generate worker id #305

merged 1 commit into from
Nov 21, 2022

Conversation

klarose
Copy link
Contributor
@klarose klarose commented Nov 17, 2022

The worker ID right now is typically based off the address of an object in memory. This could be guessed. While the worker is tied to a specific IP, there is a chance an off-path attacker could be hosted behind the same IP as the caller. They could possibly guess the worker id of an unclaimed session by observing the sequence of IDs presented to themselves, leading to them gaining access to an already authenticated SSH session.

Use the python secrets module to generate a cryptographically secure token to use as the worker ID. This should be much harder to guess.

@klarose
use secrets to generate worker id
1b62f37 
The worker ID right now is typically based off the address of an object
in memory. This could be guessed. While the worker is tied to a
specific IP, there is a chance an off-path attacker could be hosted
behind the same IP as the caller. They could possibly guess the worker
id of an unclaimed session by observing the sequence of IDs presented to
themselves, leading to them gaining access to an already authenticated
SSH session.

Use the python secrets module to generate a cryptographically secure
token to use as the worker ID. This shoud be much harder to guess.
@codecov-commenter
Copy link

Codecov Report

Base: 93.81% // Head: 93.29% // Decreases project coverage by -0.51% ⚠️

Coverage data is based on head (1b62f37) compared to base (ee24eb7).
Patch coverage: 100.00% of modified lines in pull request are covered.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #305      +/-   ##
==========================================
- Coverage   93.81%   93.29%   -0.52%     
==========================================
  Files           6        6              
  Lines         727      731       +4     
  Branches      130      130              
==========================================
  Hits          682      682              
- Misses         31       35       +4     
  Partials       14       14
Impacted Files Coverage Δ
webssh/worker.py 83.33% <100.00%> (+0.68%) ⬆️
webssh/handler.py 95.51% <0.00%> (-0.95%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@huashengdun huashengdun merged commit 7b18eac into huashengdun:master Nov 21, 2022
@huashengdun
Copy link
Owner
huashengdun commented Nov 21, 2022
edited
Loading

Merged, but found that Python 2 Python 3.4 Python 3.5 do not have the secrets module.

@klarose
Copy link
Contributor Author
klarose commented Nov 21, 2022

Merged, but found that Python 2 Python 3.4 Python 3.5 do not have the secrets module.

Oh! Sorry. I didn't notice. I was going to suggest we do something else if the import fails, but I see you did that in a followup. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@klarose @codecov-commenter @huashengdun