I came across this commit to Git today: https://github.com/git/git/commit/820d7650cc670d3e4195aad3a5343158c316e8fa which is part of a mitigation for a security bug they've found whereby they are constructing a "ssh" command based on user input, and are able to trick SSH into processing what should be a hostname as an option instead, if the user manages to trick give a hostname that begins with "-". It struck me that while ssh has options such as "-p" that allow explicit specification of a port, and "-l" for the login name, I don't see an equivalent to specify the host explicitly - rather it's parsed from the first positional argument. Has there been discussion as to whether it would be worthwhile adding such a flag so that a host (to connect to) could be passed more explicitly to ssh? (would need some thinking about how that would interact with the other positional arguments...) (I must admit I haven't studied the rest of the Git bug - before I read their commit my assumption was that this was a more typical string concatenation induced security bug. Once I read that commit I found this particular pattern of bug quite interesting, as they do in fact appear to be passing an array of arguments to SSH, they just don't have any way to explicitly call an argument a hostname)
On Fri, 2017-08-11 at 10:07 +1000, Adam Eijdenberg wrote:> I came across this commit to Git today: > https://github.com/git/git/commit/820d7650cc670d3e4195aad3a5343158c31 > 6e8fa > > which is part of a mitigation for a security bug they've found > whereby > they are constructing a "ssh" command based on user input, and are > able to trick SSH into processing what should be a hostname as an > option instead, if the user manages to trick give a hostname that > begins with "-". > > It struck me that while ssh has options such as "-p" that allow > explicit specification of a port, and "-l" for the login name, I > don't > see an equivalent to specify the host explicitly - rather it's parsed > from the first positional argument.There is always option to pass it to the argument of HostName option. But you will still have to use some bogus hostname for positional argument anyway. For example ssh -oHostName="example.com" bogus It is not nice, but it should do the job for such cases and avoid parsing it as a different argument. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.