Block shell websocket connections from non-lens renderers (#4285)

* Block shell websocket connections from non-lens renderers Signed-off-by: Sebastian Malton <sebastian@malton.name> * Add IPC based authentication tokens Signed-off-by: Sebastian Malton <sebastian@malton.name> * Fix race condition on tab start Signed-off-by: Sebastian Malton <sebastian@malton.name>
2025-05-20 05:10:56 +00:00 · 2021-11-08 19:02:10 -05:00 · 2021-11-08 19:02:10 -05:00 · c09a57370e
commit c09a57370e
parent a399b8ee20
6 changed files with 89 additions and 40 deletions
--- a/src/main/index.ts
+++ b/src/main/index.ts
@ -63,7 +63,7 @@ import { ensureDir } from "fs-extra";
 import { Router } from "./router";
 import { initMenu } from "./menu";
 import { initTray } from "./tray";
-import { kubeApiRequest, shellApiRequest } from "./proxy-functions";
+import { kubeApiRequest, shellApiRequest, ShellRequestAuthenticator } from "./proxy-functions";
 import { AppPaths } from "../common/app-paths";
 injectSystemCAs();
@ -122,7 +122,7 @@ app.on("second-instance", (event, argv) => {
  WindowManager.getInstance(false)?.ensureMainWindow();
 });
-app.on("ready", async () => {  
+app.on("ready", async () => {
  logger.info(`🚀 Starting ${productName} from "${AppPaths.get("exe")}"`);
  logger.info("🐚 Syncing shell environment");
  await shellSync();
@ -134,6 +134,7 @@ app.on("ready", async () => {
  registerFileProtocol("static", __static);
  PrometheusProviderRegistry.createInstance();
  ShellRequestAuthenticator.createInstance().init();
  initializers.initPrometheusProviderRegistry();
  /**
--- a/src/main/lens-proxy.ts
+++ b/src/main/lens-proxy.ts
@ -82,7 +82,7 @@ export class LensProxy extends Singleton {
        const reqHandler = isInternal ? shellApiRequest : kubeApiRequest;
        (async () => reqHandler({ req, socket, head }))()
-          .catch(error => logger.error(logger.error(`[LENS-PROXY]: failed to handle proxy upgrade: ${error}`)));
+          .catch(error => logger.error("[LENS-PROXY]: failed to handle proxy upgrade", error));
      });
  }
--- a/src/main/proxy-functions/shell-api-request.ts
+++ b/src/main/proxy-functions/shell-api-request.ts
@ -19,29 +19,78 @@
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */
 import type http from "http";
 import url from "url";
 import logger from "../logger";
-import * as WebSocket from "ws";
+import { Server as WebSocketServer } from "ws";
 import { NodeShellSession, LocalShellSession } from "../shell-session";
 import type { ProxyApiRequestArgs } from "./types";
 import { ClusterManager } from "../cluster-manager";
 import URLParse from "url-parse";
 import { ExtendedMap, Singleton } from "../../common/utils";
 import type { ClusterId } from "../../common/cluster-types";
 import { ipcMainHandle } from "../../common/ipc";
 import * as uuid from "uuid";
-export function shellApiRequest({ req, socket, head }: ProxyApiRequestArgs) {
+export class ShellRequestAuthenticator extends Singleton {
-  const ws = new WebSocket.Server({ noServer: true });
+  private tokens = new ExtendedMap<ClusterId, Map<string, string>>();
-  ws.on("connection", ((socket: WebSocket, req: http.IncomingMessage) => {
+  init() {
-    const cluster = ClusterManager.getInstance().getClusterForRequest(req);
+    ipcMainHandle("cluster:shell-api", (event, clusterId, tabId) => {
-    const nodeParam = url.parse(req.url, true).query["node"]?.toString();
+      const authToken = uuid.v4();
-    const shell = nodeParam
+
-      ? new NodeShellSession(socket, cluster, nodeParam)
+      this.tokens
-      : new LocalShellSession(socket, cluster);
+        .getOrInsert(clusterId, () => new Map())
        .set(tabId, authToken);
      return authToken;
    });
  }
  /**
   * Authenticates a single use token for creating a new shell
   * @param clusterId The `ClusterId` for the shell
   * @param tabId The ID for the shell
   * @param token The value that is being presented as a one time authentication token
   * @returns `true` if `token` was valid, false otherwise
   */
  authenticate(clusterId: ClusterId, tabId: string, token: string): boolean {
    const clusterTokens = this.tokens.get(clusterId);
    if (!clusterTokens) {
      return false;
    }
    const authToken = clusterTokens.get(tabId);
    // need both conditions to prevent `undefined === undefined` being true here
    if (typeof authToken === "string" && authToken === token) {
      // remove the token because it is a single use token
      clusterTokens.delete(tabId);
      return true;
    }
    return false;
  }
 }
 export function shellApiRequest({ req, socket, head }: ProxyApiRequestArgs): void {
  const cluster = ClusterManager.getInstance().getClusterForRequest(req);
  const { query: { node, shellToken, id: tabId }} = new URLParse(req.url, true);
  if (!cluster || !ShellRequestAuthenticator.getInstance().authenticate(cluster.id, tabId, shellToken)) {
    socket.write("Invalid shell request");
    return void socket.end();
  }
  const ws = new WebSocketServer({ noServer: true });
  ws.handleUpgrade(req, socket, head, (webSocket) => {
    const shell = node
      ? new NodeShellSession(webSocket, cluster, node)
      : new LocalShellSession(webSocket, cluster);
    shell.open()
-      .catch(error => logger.error(`[SHELL-SESSION]: failed to open: ${error}`, { error }));
+      .catch(error => logger.error(`[SHELL-SESSION]: failed to open a ${node ? "node" : "local"} shell`, error));
  }));
  ws.handleUpgrade(req, socket, head, (con) => {
    ws.emit("connection", con, req);
  });
 }
--- a/src/main/shell-session/node-shell-session.ts
+++ b/src/main/shell-session/node-shell-session.ts
@ -19,7 +19,7 @@
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */
-import type * as WebSocket from "ws";
+import type WebSocket from "ws";
 import { v4 as uuid } from "uuid";
 import * as k8s from "@kubernetes/client-node";
 import type { KubeConfig } from "@kubernetes/client-node";
--- a/src/main/shell-session/shell-session.ts
+++ b/src/main/shell-session/shell-session.ts
@ -22,7 +22,7 @@
 import fse from "fs-extra";
 import type { Cluster } from "../cluster";
 import { Kubectl } from "../kubectl";
-import type * as WebSocket from "ws";
+import type WebSocket from "ws";
 import { shellEnv } from "../utils/shell-env";
 import { app } from "electron";
 import { clearKubeconfigEnvVars } from "../utils/clear-kube-env-vars";
--- a/src/renderer/api/terminal-api.ts
+++ b/src/renderer/api/terminal-api.ts
@ -19,13 +19,13 @@
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */
-import { boundMethod, base64, EventEmitter } from "../utils";
+import { boundMethod, base64, EventEmitter, getHostedClusterId } from "../utils";
 import { WebSocketApi } from "./websocket-api";
 import isEqual from "lodash/isEqual";
 import { isDevelopment } from "../../common/vars";
 import url from "url";
 import { makeObservable, observable } from "mobx";
-import type { ParsedUrlQueryInput } from "querystring";
+import { ipcRenderer } from "electron";
 export enum TerminalChannels {
  STDIN = 0,
@ -50,7 +50,7 @@ enum TerminalColor {
 export type TerminalApiQuery = Record<string, string> & {
  id: string;
  node?: string;
-  type?: string | "node";
+  type?: string;
 };
 export class TerminalApi extends WebSocketApi {
@ -58,9 +58,8 @@ export class TerminalApi extends WebSocketApi {
  public onReady = new EventEmitter<[]>();
  @observable public isReady = false;
  public readonly url: string;
-  constructor(protected options: TerminalApiQuery) {
+  constructor(protected query: TerminalApiQuery) {
    super({
      logging: isDevelopment,
      flushOnOpen: false,
@ -68,30 +67,30 @@ export class TerminalApi extends WebSocketApi {
    });
    makeObservable(this);
-    const { hostname, protocol, port } = location;
+    if (query.node) {
-    const query: ParsedUrlQueryInput = {
+      query.type ||= "node";
      id: options.id,
    };
    if (options.node) {
      query.node = options.node;
      query.type = options.type || "node";
    }
  }
-    this.url = url.format({
+  async connect() {
    this.emitStatus("Connecting ...");
    const shellToken = await ipcRenderer.invoke("cluster:shell-api", getHostedClusterId(), this.query.id);
    const { hostname, protocol, port } = location;
    const socketUrl = url.format({
      protocol: protocol.includes("https") ? "wss" : "ws",
      hostname,
      port,
      pathname: "/api",
-      query,
+      query: {
        ...this.query,
        shellToken,
      },
      slashes: true,
    });
  }
  connect() {
    this.emitStatus("Connecting ...");
    this.onData.addListener(this._onReady, { prepend: true });
-    super.connect(this.url);
+    super.connect(socketUrl);
  }
  destroy() {