fileTransferBlocked method checks if the file transfer commands should be blocked. Warning: consider this mechanism as "Do not trespass" sign, as a violator can still ssh to the host, smuggle the `scp` binary, or just manually send files outside with `curl` or `ftp`. If a user needs a more sophisti
(session ssh.Session)
| 584 | // smuggle the `scp` binary, or just manually send files outside with `curl` or `ftp`. |
| 585 | // If a user needs a more sophisticated and battle-proof solution, consider full endpoint security. |
| 586 | func (s *Server) fileTransferBlocked(session ssh.Session) bool { |
| 587 | if !s.config.BlockFileTransfer { |
| 588 | return false // file transfers are permitted |
| 589 | } |
| 590 | // File transfers are restricted. |
| 591 | |
| 592 | if session.Subsystem() == "sftp" { |
| 593 | return true |
| 594 | } |
| 595 | |
| 596 | cmd := session.Command() |
| 597 | if len(cmd) == 0 { |
| 598 | return false // no command? |
| 599 | } |
| 600 | |
| 601 | c := cmd[0] |
| 602 | c = filepath.Base(c) // in case the binary is absolute path, /usr/sbin/scp |
| 603 | |
| 604 | for _, cmd := range BlockedFileTransferCommands { |
| 605 | if cmd == c { |
| 606 | return true |
| 607 | } |
| 608 | } |
| 609 | return false |
| 610 | } |
| 611 | |
| 612 | func (s *Server) sessionStart(logger slog.Logger, session ssh.Session, env []string, magicType MagicSessionType, container, containerUser string) (retErr error) { |
| 613 | ctx := session.Context() |