From d39e5bd7d9d057f11713af53e7ccc22734621f8d Mon Sep 17 00:00:00 2001
From: Tino Rusch <tino.rusch@webvariants.de>
Date: Thu, 11 Feb 2016 18:27:34 +0100
Subject: [PATCH] added whitelist option to prevent connecting to arbitary
 endpoints;

---
 app.js | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/app.js b/app.js
index acc047f..6a4a32f 100644
--- a/app.js
+++ b/app.js
@@ -39,6 +39,10 @@ var opts = require('optimist')
             alias: 'p',
             description: 'wetty listen port'
         },
+        whitelist: {
+            demand: false,
+            description: 'whitelist of username/hosts, you can connect to'
+        }
     }).boolean('allow_discovery').argv;
 
 var runhttps = false;
@@ -47,6 +51,7 @@ var globalsshhost = 'localhost';
 var sshhost = globalsshhost;
 var sshauth = 'password';
 var globalsshuser = '';
+var whitelist = ['^.*@localhost$'];
 
 if (opts.sshport) {
     sshport = opts.sshport;
@@ -71,6 +76,19 @@ if (opts.sslkey && opts.sslcert) {
     opts.ssl.cert = fs.readFileSync(path.resolve(opts.sslcert));
 }
 
+if (opts.whitelist) {
+    whitelist = opts.whitelist.split(',');
+}
+
+function checkWhitelist(target){
+    for (var idx = 0; idx<whitelist.length; idx++) {
+        if(target.match(whitelist[idx])) {
+            return true;
+        }
+    }
+    return false;
+}
+
 process.on('uncaughtException', function(e) {
     console.error('Error: ' + e);
 });
@@ -105,6 +123,13 @@ io.on('connection', function(socket){
     if (match) {
         sshuser = match[0].split('/')[3] + '@';
         sshhost = match[0].split('/')[4];
+        var target = sshuser+sshhost;
+        if (!checkWhitelist(target)) {
+            console.log('whitelist error');
+            socket.emit('output', 'whitelist error');
+            socket.disconnect();
+            return;
+        }
     } else {
         match = request.headers.referer.match('/wetty/ssh/.+$');
         if(match){