Skip to content

🔒 Security: WebSocket Authentication Missing / WebSocket认证缺失 #8

Description

@ACCSCI

Summary / 概述

The terminal WebSocket service lacks authentication, allowing unauthorized access to terminal sessions.
终端WebSocket服务缺乏认证机制,允许未授权访问终端会话。

Vulnerability Details / 漏洞详情

Location / 位置

File / 文件: plugins/terminal-ws.ts
Lines / 行号: 29-44

httpServer.on("upgrade", (req: IncomingMessage, socket: Duplex, head: Buffer) => {
  const url = new URL(req.url || "/", `http://${req.headers.host}`);
  if (url.pathname !== "/api/terminal") {
    return;
  }

  const terminalId = url.searchParams.get("terminalId");
  if (!terminalId) {
    socket.destroy();
    return;
  }

  wss.handleUpgrade(req, socket, head, (ws) => {
    wss.emit("connection", ws, req, terminalId);
  });
});

Issues / 问题

  1. No Authentication / 无认证: Anyone can connect to any terminal if they know the terminalId / 任何人只要知道terminalId就可以连接到任何终端
  2. No Session Validation / 无会话验证: No verification that the user owns the terminal session / 未验证用户是否拥有该终端会话
  3. No Rate Limiting / 无速率限制: No protection against brute force attacks on terminalId / 无防止terminalId暴力破解的保护

Impact / 影响

  • Medium / 中危: Unauthorized access to terminal sessions / 未授权访问终端会话
  • High / 高危: Could lead to data exposure or system compromise / 可能导致数据泄露或系统被入侵

Recommended Fix / 修复建议

Option 1 / 方案 1: Token-Based Authentication / 基于令牌的认证

// Generate token when creating terminal / 创建终端时生成令牌
const authToken = crypto.randomUUID();
terminalManager.setAuthToken(terminalId, authToken);

// Validate on connection / 连接时验证
wss.on("connection", async (ws, req, terminalId) => {
  const token = new URL(req.url, 'http://localhost').searchParams.get('token');
  if (!terminalManager.validateAuthToken(terminalId, token)) {
    ws.close(1008, 'Unauthorized');
    return;
  }
  // ... rest of connection handling / 其余连接处理
});

Option 2 / 方案 2: Session Cookie Validation / 会话Cookie验证

// Validate session cookie / 验证会话cookie
const cookies = parseCookies(req.headers.cookie);
const sessionId = cookies['session_id'];
if (!isValidSession(sessionId, terminalId)) {
  socket.destroy();
  return;
}

Option 3 / 方案 3: Origin Validation / 来源验证

// Validate WebSocket origin / 验证WebSocket来源
const origin = req.headers.origin;
if (!isAllowedOrigin(origin)) {
  socket.destroy();
  return;
}

Affected Files / 受影响文件

  • plugins/terminal-ws.ts (lines 29-44)

Priority / 优先级

High / 高危 - Should be fixed before production deployment / 应在生产部署前修复

Labels / 标签

  • security
  • authentication
  • high-priority

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions