Block shell websocket connections from non-lens renderers (#4285)

* Block shell websocket connections from non-lens renderers

Signed-off-by: Sebastian Malton <sebastian@malton.name>

* Add IPC based authentication tokens

Signed-off-by: Sebastian Malton <sebastian@malton.name>

* Fix race condition on tab start

Signed-off-by: Sebastian Malton <sebastian@malton.name>

src/main/index.ts

@@ -63,7 +63,7 @@ import { ensureDir } from "fs-extra";
 import { Router } from "./router";
 import { initMenu } from "./menu";
 import { initTray } from "./tray";
-import { kubeApiRequest, shellApiRequest } from "./proxy-functions";
+import { kubeApiRequest, shellApiRequest, ShellRequestAuthenticator } from "./proxy-functions";
 import { AppPaths } from "../common/app-paths";
 
 injectSystemCAs();
@@ -134,6 +134,7 @@ app.on("ready", async () => {
   registerFileProtocol("static", __static);
 
   PrometheusProviderRegistry.createInstance();
+  ShellRequestAuthenticator.createInstance().init();
   initializers.initPrometheusProviderRegistry();
 
   /**

src/main/lens-proxy.ts

@@ -82,7 +82,7 @@ export class LensProxy extends Singleton {
         const reqHandler = isInternal ? shellApiRequest : kubeApiRequest;
 
         (async () => reqHandler({ req, socket, head }))()
-          .catch(error => logger.error(logger.error(`[LENS-PROXY]: failed to handle proxy upgrade: ${error}`)));
+          .catch(error => logger.error("[LENS-PROXY]: failed to handle proxy upgrade", error));
       });
   }
 

src/main/proxy-functions/shell-api-request.ts

@@ -19,29 +19,78 @@
  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-import type http from "http";
-import url from "url";
 import logger from "../logger";
-import * as WebSocket from "ws";
+import { Server as WebSocketServer } from "ws";
 import { NodeShellSession, LocalShellSession } from "../shell-session";
 import type { ProxyApiRequestArgs } from "./types";
 import { ClusterManager } from "../cluster-manager";
+import URLParse from "url-parse";
+import { ExtendedMap, Singleton } from "../../common/utils";
+import type { ClusterId } from "../../common/cluster-types";
+import { ipcMainHandle } from "../../common/ipc";
+import * as uuid from "uuid";
 
-export function shellApiRequest({ req, socket, head }: ProxyApiRequestArgs) {
+export class ShellRequestAuthenticator extends Singleton {
-  const ws = new WebSocket.Server({ noServer: true });
+  private tokens = new ExtendedMap<ClusterId, Map<string, string>>();
 
-  ws.on("connection", ((socket: WebSocket, req: http.IncomingMessage) => {
+  init() {
-    const cluster = ClusterManager.getInstance().getClusterForRequest(req);
+    ipcMainHandle("cluster:shell-api", (event, clusterId, tabId) => {
-    const nodeParam = url.parse(req.url, true).query["node"]?.toString();
+      const authToken = uuid.v4();
-    const shell = nodeParam
-      ? new NodeShellSession(socket, cluster, nodeParam)
-      : new LocalShellSession(socket, cluster);
 
-    shell.open()
+      this.tokens
-      .catch(error => logger.error(`[SHELL-SESSION]: failed to open: ${error}`, { error }));
+        .getOrInsert(clusterId, () => new Map())
-  }));
+        .set(tabId, authToken);
 
-  ws.handleUpgrade(req, socket, head, (con) => {
+      return authToken;
-    ws.emit("connection", con, req);
+    });
+  }
+
+  /**
+   * Authenticates a single use token for creating a new shell
+   * @param clusterId The `ClusterId` for the shell
+   * @param tabId The ID for the shell
+   * @param token The value that is being presented as a one time authentication token
+   * @returns `true` if `token` was valid, false otherwise
+   */
+  authenticate(clusterId: ClusterId, tabId: string, token: string): boolean {
+    const clusterTokens = this.tokens.get(clusterId);
+
+    if (!clusterTokens) {
+      return false;
+    }
+
+    const authToken = clusterTokens.get(tabId);
+
+    // need both conditions to prevent `undefined === undefined` being true here
+    if (typeof authToken === "string" && authToken === token) {
+      // remove the token because it is a single use token
+      clusterTokens.delete(tabId);
+
+      return true;
+    }
+
+    return false;
+  }
+}
+
+export function shellApiRequest({ req, socket, head }: ProxyApiRequestArgs): void {
+  const cluster = ClusterManager.getInstance().getClusterForRequest(req);
+  const { query: { node, shellToken, id: tabId }} = new URLParse(req.url, true);
+
+  if (!cluster || !ShellRequestAuthenticator.getInstance().authenticate(cluster.id, tabId, shellToken)) {
+    socket.write("Invalid shell request");
+
+    return void socket.end();
+  }
+
+  const ws = new WebSocketServer({ noServer: true });
+
+  ws.handleUpgrade(req, socket, head, (webSocket) => {
+    const shell = node
+      ? new NodeShellSession(webSocket, cluster, node)
+      : new LocalShellSession(webSocket, cluster);
+
+    shell.open()
+      .catch(error => logger.error(`[SHELL-SESSION]: failed to open a ${node ? "node" : "local"} shell`, error));
   });
 }

src/main/shell-session/node-shell-session.ts

@@ -19,7 +19,7 @@
  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-import type * as WebSocket from "ws";
+import type WebSocket from "ws";
 import { v4 as uuid } from "uuid";
 import * as k8s from "@kubernetes/client-node";
 import type { KubeConfig } from "@kubernetes/client-node";

src/main/shell-session/shell-session.ts

@@ -22,7 +22,7 @@
 import fse from "fs-extra";
 import type { Cluster } from "../cluster";
 import { Kubectl } from "../kubectl";
-import type * as WebSocket from "ws";
+import type WebSocket from "ws";
 import { shellEnv } from "../utils/shell-env";
 import { app } from "electron";
 import { clearKubeconfigEnvVars } from "../utils/clear-kube-env-vars";

src/renderer/api/terminal-api.ts

@@ -19,13 +19,13 @@
  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  */
 
-import { boundMethod, base64, EventEmitter } from "../utils";
+import { boundMethod, base64, EventEmitter, getHostedClusterId } from "../utils";
 import { WebSocketApi } from "./websocket-api";
 import isEqual from "lodash/isEqual";
 import { isDevelopment } from "../../common/vars";
 import url from "url";
 import { makeObservable, observable } from "mobx";
-import type { ParsedUrlQueryInput } from "querystring";
+import { ipcRenderer } from "electron";
 
 export enum TerminalChannels {
   STDIN = 0,
@@ -50,7 +50,7 @@ enum TerminalColor {
 export type TerminalApiQuery = Record<string, string> & {
   id: string;
   node?: string;
-  type?: string | "node";
+  type?: string;
 };
 
 export class TerminalApi extends WebSocketApi {
@@ -58,9 +58,8 @@ export class TerminalApi extends WebSocketApi {
 
   public onReady = new EventEmitter<[]>();
   @observable public isReady = false;
-  public readonly url: string;
 
-  constructor(protected options: TerminalApiQuery) {
+  constructor(protected query: TerminalApiQuery) {
     super({
       logging: isDevelopment,
       flushOnOpen: false,
@@ -68,30 +67,30 @@ export class TerminalApi extends WebSocketApi {
     });
     makeObservable(this);
 
-    const { hostname, protocol, port } = location;
+    if (query.node) {
-    const query: ParsedUrlQueryInput = {
+      query.type ||= "node";
-      id: options.id,
+    }
-    };
-
-    if (options.node) {
-      query.node = options.node;
-      query.type = options.type || "node";
   }
 
-    this.url = url.format({
+  async connect() {
+    this.emitStatus("Connecting ...");
+
+    const shellToken = await ipcRenderer.invoke("cluster:shell-api", getHostedClusterId(), this.query.id);
+    const { hostname, protocol, port } = location;
+    const socketUrl = url.format({
       protocol: protocol.includes("https") ? "wss" : "ws",
       hostname,
       port,
       pathname: "/api",
-      query,
+      query: {
+        ...this.query,
+        shellToken,
+      },
       slashes: true,
     });
-  }
 
-  connect() {
-    this.emitStatus("Connecting ...");
     this.onData.addListener(this._onReady, { prepend: true });
-    super.connect(this.url);
+    super.connect(socketUrl);
   }
 
   destroy() {