Release 2.1.0

Bugfix: sanatise usernames before spawning processes
Bugfix: remove empty spaces from ssh args
Bugfix: remove unneeded arg for github publish action

.github/workflows/publish.yml

@@ -24,14 +24,11 @@ jobs:
         env:
           CI: true
       - name: Publish if version has been updated
-        uses: pascalgn/npm-publish-action@1.3.6
+        uses: pascalgn/npm-publish-action@1.3.8
         with:
           tag_name: "v%s"
           tag_message: "v%s"
-          create_tag: "true"
           commit_pattern: "^Release (\\S+)"
-          workspace: "."
-          publish_command: "yarn"
           publish_args: "--non-interactive"
         env:
           GITHUB_TOKEN: ${{ secrets.node_github_token }}

.github/workflows/release.yml

@@ -0,0 +1,21 @@
+---
+name: Create Release
+on:
+  push:
+    tags:
+      - 'v*'
+jobs:
+  build:
+    name: Create Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@master
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}

containers/wetty/Dockerfile

@@ -1,5 +1,5 @@
 FROM node:current-alpine as builder
-RUN apk add -U build-base python
+RUN apk add -U build-base python3
 WORKDIR /usr/src/app
 COPY . /usr/src/app
 RUN yarn && \
@@ -14,7 +14,7 @@ EXPOSE 3000
 COPY --from=builder /usr/src/app/build /usr/src/app/build
 COPY --from=builder /usr/src/app/node_modules /usr/src/app/node_modules
 COPY package.json /usr/src/app
-RUN apk add -U openssh-client sshpass && \
+RUN apk add -U coreutils openssh-client sshpass && \
     mkdir ~/.ssh
 
 ENTRYPOINT [ "yarn" , "docker-entrypoint"]

package.json

@@ -1,6 +1,6 @@
 {
   "name": "wetty",
-  "version": "2.0.4",
+  "version": "2.1.0",
   "description": "WeTTY = Web + TTY. Terminal access in browser over http/https",
   "homepage": "https://github.com/butlerx/wetty",
   "license": "MIT",
@@ -111,7 +111,7 @@
     "helmet": "^4.1.0",
     "json5": "^2.1.3",
     "lodash": "^4.17.20",
-    "node-pty": "^0.9.0",
+    "node-pty": "^0.10.0",
     "parseurl": "^1.3.3",
     "sass": "^1.26.10",
     "socket.io": "^2.3.0",

src/server.ts

@@ -15,6 +15,7 @@ import {
   forceSSHDefault,
   defaultCommand,
 } from './shared/defaults.js';
+import { escapeShell } from './server/shared/shell.js';
 
 /**
  * Starts WeTTy Server
@@ -58,7 +59,7 @@ export async function start(
     } else {
       try {
         const username = await login(socket);
-        args[1] = `${username.trim()}@${args[1]}`;
+        args[1] = `${escapeShell(username.trim())}@${args[1]}`;
         logger.debug('Spawning term', {
           username: username.trim(),
           cmd: args.join(' '),

src/server/command/address.ts

@@ -1,3 +1,5 @@
+import { escapeShell } from '../shared/shell.js';
+
 export function address(
   headers: Record<string, string>,
   user: string,
@@ -6,9 +8,12 @@ export function address(
   // Check request-header for username
   const remoteUser = headers['remote-user'];
   if (remoteUser) {
-    return `${remoteUser}@${host}`;
+    return `${escapeShell(remoteUser)}@${host}`;
   }
   const match = headers.referer.match('.+/ssh/([^/]+)$');
-  const fallback = user ? `${user}@${host}` : host;
-  return match ? `${match[1].split('?')[0]}@${host}` : fallback;
+  if (match) {
+    const username = escapeShell(match[1].split('?')[0]);
+    return `${username}@${host}`;
+  }
+  return user ? `${escapeShell(user)}@${host}` : host;
 }

src/server/shared/shell.ts

@@ -0,0 +1,2 @@
+export const escapeShell = (username: string): string =>
+  username.replace(/[^a-zA-Z0-9-_]/g, '');