Summary / 概述
The terminal WebSocket service lacks authentication, allowing unauthorized access to terminal sessions.
终端WebSocket服务缺乏认证机制,允许未授权访问终端会话。
Vulnerability Details / 漏洞详情
Location / 位置
File / 文件: plugins/terminal-ws.ts
Lines / 行号: 29-44
httpServer.on("upgrade", (req: IncomingMessage, socket: Duplex, head: Buffer) => {
const url = new URL(req.url || "/", `http://${req.headers.host}`);
if (url.pathname !== "/api/terminal") {
return;
}
const terminalId = url.searchParams.get("terminalId");
if (!terminalId) {
socket.destroy();
return;
}
wss.handleUpgrade(req, socket, head, (ws) => {
wss.emit("connection", ws, req, terminalId);
});
});
Issues / 问题
- No Authentication / 无认证: Anyone can connect to any terminal if they know the terminalId / 任何人只要知道terminalId就可以连接到任何终端
- No Session Validation / 无会话验证: No verification that the user owns the terminal session / 未验证用户是否拥有该终端会话
- No Rate Limiting / 无速率限制: No protection against brute force attacks on terminalId / 无防止terminalId暴力破解的保护
Impact / 影响
- Medium / 中危: Unauthorized access to terminal sessions / 未授权访问终端会话
- High / 高危: Could lead to data exposure or system compromise / 可能导致数据泄露或系统被入侵
Recommended Fix / 修复建议
Option 1 / 方案 1: Token-Based Authentication / 基于令牌的认证
// Generate token when creating terminal / 创建终端时生成令牌
const authToken = crypto.randomUUID();
terminalManager.setAuthToken(terminalId, authToken);
// Validate on connection / 连接时验证
wss.on("connection", async (ws, req, terminalId) => {
const token = new URL(req.url, 'http://localhost').searchParams.get('token');
if (!terminalManager.validateAuthToken(terminalId, token)) {
ws.close(1008, 'Unauthorized');
return;
}
// ... rest of connection handling / 其余连接处理
});
Option 2 / 方案 2: Session Cookie Validation / 会话Cookie验证
// Validate session cookie / 验证会话cookie
const cookies = parseCookies(req.headers.cookie);
const sessionId = cookies['session_id'];
if (!isValidSession(sessionId, terminalId)) {
socket.destroy();
return;
}
Option 3 / 方案 3: Origin Validation / 来源验证
// Validate WebSocket origin / 验证WebSocket来源
const origin = req.headers.origin;
if (!isAllowedOrigin(origin)) {
socket.destroy();
return;
}
Affected Files / 受影响文件
plugins/terminal-ws.ts (lines 29-44)
Priority / 优先级
High / 高危 - Should be fixed before production deployment / 应在生产部署前修复
Labels / 标签
security
authentication
high-priority
Summary / 概述
The terminal WebSocket service lacks authentication, allowing unauthorized access to terminal sessions.
终端WebSocket服务缺乏认证机制,允许未授权访问终端会话。
Vulnerability Details / 漏洞详情
Location / 位置
File / 文件:
plugins/terminal-ws.tsLines / 行号: 29-44
Issues / 问题
Impact / 影响
Recommended Fix / 修复建议
Option 1 / 方案 1: Token-Based Authentication / 基于令牌的认证
Option 2 / 方案 2: Session Cookie Validation / 会话Cookie验证
Option 3 / 方案 3: Origin Validation / 来源验证
Affected Files / 受影响文件
plugins/terminal-ws.ts(lines 29-44)Priority / 优先级
High / 高危 - Should be fixed before production deployment / 应在生产部署前修复
Labels / 标签
securityauthenticationhigh-priority