Migrate SFTP endpoints

This commit is contained in:
Dane Everitt
2021-02-01 20:59:17 -08:00
parent 6775c17324
commit 62cbe5e135
6 changed files with 97 additions and 160 deletions

View File

@@ -1,6 +1,7 @@
package sftp
import (
"context"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
@@ -10,6 +11,7 @@ import (
"net"
"os"
"path"
"regexp"
"strconv"
"strings"
@@ -18,10 +20,16 @@ import (
"github.com/pkg/sftp"
"github.com/pterodactyl/wings/api"
"github.com/pterodactyl/wings/config"
"github.com/pterodactyl/wings/remote"
"github.com/pterodactyl/wings/server"
"golang.org/x/crypto/ssh"
)
// Usernames all follow the same format, so don't even bother hitting the API if the username is not
// at least in the expected format. This is very basic protection against random bots finding the SFTP
// server and sending a flood of usernames.
var validUsernameRegexp = regexp.MustCompile(`^(?i)(.+)\.([a-z0-9]{8})$`)
//goland:noinspection GoNameStartsWithPackageName
type SFTPServer struct {
manager *server.Manager
@@ -164,7 +172,7 @@ func (c *SFTPServer) generatePrivateKey() error {
// A function capable of validating user credentials with the Panel API.
func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
request := api.SftpAuthRequest{
request := remote.SftpAuthRequest{
User: conn.User(),
Pass: string(pass),
IP: conn.RemoteAddr().String(),
@@ -175,7 +183,12 @@ func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.
logger := log.WithFields(log.Fields{"subsystem": "sftp", "username": conn.User(), "ip": conn.RemoteAddr().String()})
logger.Debug("validating credentials for SFTP connection")
resp, err := api.New().ValidateSftpCredentials(request)
if !validUsernameRegexp.MatchString(request.User) {
logger.Warn("failed to validate user credentials (invalid format)")
return nil, &remote.SftpInvalidCredentialsError{}
}
resp, err := c.manager.Client().ValidateSftpCredentials(context.Background(), request)
if err != nil {
if api.IsInvalidCredentialsError(err) {
logger.Warn("failed to validate user credentials (invalid username or password)")