Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warn about/prevent multiple direct remote connections #20834

Closed
wants to merge 3 commits into from
Closed

Warn about/prevent multiple direct remote connections #20834

wants to merge 3 commits into from

Conversation

mvollmer
Copy link
Member

@mvollmer mvollmer commented Aug 2, 2024
edited
Loading

Demo: https://youtu.be/lvR2youiY4M

  • don't rely on logout resetting local storage. instead, let cockpit-ws report host addresses of valid cookies to login.html
  • config option
  • design
  • tests
  • coverage

@mvollmer mvollmer requested a review from garrett August 2, 2024 14:39
@mvollmer
WIP - prevent direct multi host scenarios
0c3733f 
by finding the current session and redirecting to it from the login
page.
@mvollmer
WIP - show warning if multihost is allowed
0e27614
cockpituous
cockpituous reviewed Aug 7, 2024
View reviewed changes
pkg/static/login.js
// from two machines into the same browser origin.

const logged_into = environment["logged-into"];
const cur_machine = logged_into.length > 0 ? logged_into[0] : null;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This added line is not executed by any test.

pkg/static/login.js
Comment on lines +349 to +351
function redirect_to_current_machine() {
if (cur_machine === ".")
login_reload("/");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These 3 added lines are not executed by any test.

pkg/static/login.js
if (cur_machine === ".")
login_reload("/");
else
login_reload("/=" + cur_machine);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This added line is not executed by any test.

pkg/static/login.js
Comment on lines +356 to +358
if (cur_machine) {
if (!environment.page.allow_multi_host)
redirect_to_current_machine();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These 3 added lines are not executed by any test.

pkg/static/login.js
Comment on lines +360 to +363
id("multihost-message").textContent = format(_("You are already connected to '$0' in this browser session. Connecting to other hosts will allow them to execute arbitrary code on each other. Please be careful."),
cur_machine == "." ? "localhost" : cur_machine);
id("multihost-get-me-there").addEventListener("click", redirect_to_current_machine);
show('#multihost-warning');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These 4 added lines are not executed by any test.

pkg/static/login.js
@@ -948,6 +977,8 @@
}

function login_reload (wanted) {
console.log("RELOAD", wanted);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This added line is not executed by any test.

This was referenced Aug 9, 2024
Merged
Draft
@mvollmer
Copy link
Member Author

mvollmer commented Aug 9, 2024

Let's split this. Preventing: #20860, warning: #20861.

@mvollmer mvollmer closed this Aug 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cockpituous cockpituous cockpituous left review comments

@garrett garrett Awaiting requested review from garrett

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mvollmer @cockpituous