Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

git ssh fix

  • Loading branch information...
commit 0d9b8bd1b4b579fdb408809d258317f6cd7becef 1 parent 57e8df6
Eric Schoffstall contra authored
Showing with 67 additions and 25 deletions.
  1. +41 −22 lib/user.js
  2. +23 −0 scripts/filter.coffee
  3. +3 −3 scripts/update_authkeys.js
63 lib/user.js
View
@@ -1,18 +1,30 @@
var config = require('../config'),
- cradle = require('cradle'),
- lib = require('./lib'),
- path = require('path'),
- fs = require('fs'),
- exec = require('child_process').exec;
+ cradle = require('cradle'),
+ lib = require('./lib'),
+ path = require('path'),
+ fs = require('fs'),
+ exec = require('child_process').exec;
+var isValidKey = function (key) {
+ var decoded, type, _ref;
+ _ref = key.split(' '), type = _ref[0], key = _ref[1];
+ if (!((type != null) && (key != null) && (type === 'ssh-rsa' || type === 'ssh-dss'))) {
+ return false;
+ }
+ decoded = new Buffer(key, 'base64').toString('ascii');
+ if (decoded.indexOf('ssh-rsa') === -1 && decoded.indexOf('ssh-dss') === -1) {
+ return false;
+ }
+ return true;
+ };
module.exports = {
- delete: function(req, res, next) {
+ delete: function (req, res, next) {
var user = req.user;
// need to delete all users apps
// and stop all the users apps
var db = lib.get_couchdb_database('nodefu');
- db.get(user._id, function(err, doc) {
+ db.get(user._id, function (err, doc) {
if (err) {
res.writeHead(500, {
'Content-Type': 'application/json'
@@ -22,7 +34,7 @@ module.exports = {
message: err.error + ' - ' + err.reason
}) + '\n');
} else {
- db.remove(user._id, doc._rev, function(err, resp) {
+ db.remove(user._id, doc._rev, function (err, resp) {
if (err) {
res.writeHead(500, {
'Content-Type': 'application/json'
@@ -40,7 +52,7 @@ module.exports = {
}
});
},
- put: function(req, res, next) {
+ put: function (req, res, next) {
var user = req.user;
var newpass = req.body.password;
@@ -48,7 +60,7 @@ module.exports = {
if (newpass) {
var db = lib.get_couchdb_database('nodefu');
- db.get(user._id, function(err, doc) {
+ db.get(user._id, function (err, doc) {
if (err) {
res.writeHead(500, {
'Content-Type': 'application/json'
@@ -60,7 +72,7 @@ module.exports = {
} else {
db.merge(user._id, {
password: lib.md5(newpass)
- }, function(err, resp) {
+ }, function (err, resp) {
if (err) {
res.writeHead(500, {
'Content-Type': 'application/json'
@@ -79,15 +91,22 @@ module.exports = {
}
});
} else if (rsakey) {
- exec('sudo ' + config.opt.app_dir + '/scripts/update_authkeys.js ' + config.opt.git_home_dir + '/' + user._id + ' "' + rsakey + '"');
- // This will improve when merging code to handle couchdb of all keys and generation of whole auth keys file in one go.
- res.send({
- status: "success",
- message: "rsa key added"
- });
+ if (!isValidKey(rsakey)) {
+ res.send({
+ status: "failure",
+ message: "invalid rsa key"
+ });
+ } else {
+ exec('sudo ' + config.opt.app_dir + '/scripts/update_authkeys.js ' + config.opt.git_home_dir + '/' + user._id + ' "' + rsakey + '"');
+ // This will improve when merging code to handle couchdb of all keys and generation of whole auth keys file in one go.
+ res.send({
+ status: "success",
+ message: "rsa key added"
+ });
+ }
}
},
- post: function(req, res, next) {
+ post: function (req, res, next) {
var newuser = req.body.user;
var newpass = req.body.password;
@@ -107,10 +126,10 @@ module.exports = {
} else {
var db = lib.get_couchdb_database('nodefu');
- db.get(newuser, function(err, doc) {
+ db.get(newuser, function (err, doc) {
if (err) {
if (err.error == 'not_found') {
- if (typeof rsakey == 'undefined') {
+ if (typeof rsakey == 'undefined' || !isValidKey(rsakey)) {
res.writeHead(400, {
'Content-Type': 'application/json'
});
@@ -122,7 +141,7 @@ module.exports = {
db.save(newuser, {
password: lib.md5(newpass),
email: email
- }, function(err, resp) {
+ }, function (err, resp) {
if (err) {
res.writeHead(500, {
'Content-Type': 'application/json'
@@ -164,4 +183,4 @@ module.exports = {
res.end();
}
}
-};
+};
23 scripts/filter.coffee
View
@@ -0,0 +1,23 @@
+fs = require 'fs'
+
+isValidKey = (key) ->
+ [type, key] = key.split ' '
+ return false unless type? and key? and (type is 'ssh-rsa' or type is 'ssh-dss')
+ decoded = new Buffer(key, 'base64').toString('ascii')
+ return false if decoded.indexOf('ssh-rsa') is -1 and decoded.indexOf('ssh-dss') is -1
+ return true
+
+filter = (path) ->
+ lines = String(fs.readFileSync(path)).split '\r\n'
+ out = []
+ for line in lines
+ [command, path, type, key, email] = line.split ' '
+ if command? and path? and type? and key? and email?
+ if isValidKey("#{type} #{key}") and out.indexOf(line) is -1
+ out.push line
+ console.log "Valid: #{out.length} Invalid: #{lines.length}"
+ return out.join '\r\n'
+
+keyFile = '/node/git/.ssh/authorized_keys'
+newFile = filter keyFile
+fs.writeFileSync keyFile, newFile
6 scripts/update_authkeys.js
View
@@ -5,8 +5,8 @@ var fs = require('fs'),
var stream = fs.createWriteStream(config.git_home_dir + '/.ssh/authorized_keys', {
'flags': 'a+',
- 'encoding': 'utf8',
+ 'encoding': 'ascii',
'mode': '0644'
});
-stream.write('command="/usr/local/bin/git-shell-enforce-directory ' + process.argv[2] + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' + process.argv[3] + '\n', 'utf8');
-stream.end();
+stream.write('command="/usr/local/bin/git-shell-enforce-directory ' + process.argv[2] + '",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ' + process.argv[3] + '\r\n', 'ascii');
+stream.end();
Please sign in to comment.
Something went wrong with that request. Please try again.