Skip to content

[Security Issue] Avoid Exposing Ports without Authentication #5442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 11, 2022
Merged

[Security Issue] Avoid Exposing Ports without Authentication #5442

merged 3 commits into from
Aug 11, 2022

Conversation

rafaelcalpena
Copy link

Hi, I have recently started using code-server and the proxy feature is very handy, however I realized that anyone can access proxied ports on public domains. The authenticated call seems to be working correctly, but the proxy function does not wait asynchronously for the authentication result.

I believe this is a high-priority issue with consequences such as disclosure of unwanted data and potential priviledge escalation on the system. I have not tested my fix, but only minor changes were necessary, so it should be ready to go.

Wait for Authenticated Function
5b2c7a6 
`proxy` should `await` for result of `authenticated` call to avoid security issues.
@rafaelcalpena rafaelcalpena requested a review from a team August 10, 2022 22:08
code-asher
code-asher approved these changes Aug 10, 2022
View reviewed changes
Copy link
Member

@code-asher code-asher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!! This is definitely a big deal. @jsjoeio we should probably try releasing soon with this fix.

@code-asher code-asher enabled auto-merge (squash) August 10, 2022 23:31
@jsjoeio
Copy link
Contributor

jsjoeio commented Aug 10, 2022

Big thank you for finding and fixing @rafaelcalpena!

we should probably try releasing soon with this fix.

Agreed!

@codecov
Copy link

codecov bot commented Aug 10, 2022

Codecov Report

Merging #5442 (fbbe776) into main (c69f2c6) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main    #5442   +/-   ##
=======================================
  Coverage   72.44%   72.44%           
=======================================
  Files          30       30           
  Lines        1673     1673           
  Branches      366      366           
=======================================
  Hits         1212     1212           
  Misses        398      398           
  Partials       63       63
Impacted Files Coverage Δ
src/node/routes/index.ts 80.80% <100.00%> (ø)
src/node/routes/pathProxy.ts 66.66% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c69f2c6...fbbe776. Read the comment docs.

@code-asher code-asher merged commit 2ec1e2d into coder:main Aug 11, 2022
@code-asher code-asher mentioned this pull request Aug 11, 2022
Closed
@jsjoeio jsjoeio mentioned this pull request Aug 15, 2022
Closed
@rafaelcalpena
Copy link
Author

Thanks @code-asher and @jsjoeio for merging and releasing this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@code-asher code-asher code-asher approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rafaelcalpena @jsjoeio @code-asher