Fix container terminal security risk

Signed-off-by: hongming <talonwan@yunify.com>
2021-06-10 15:16:12 +08:00
parent b77beedbf7
commit 2c60762cfc
4 changed files with 36 additions and 5 deletions
--- a/pkg/kapis/terminal/v1alpha2/handler.go
+++ b/pkg/kapis/terminal/v1alpha2/handler.go
@@ -17,8 +17,13 @@ limitations under the License.
 package v1alpha2

 import (
+	"errors"
 	"net/http"

+	"kubesphere.io/kubesphere/pkg/api"
+	"kubesphere.io/kubesphere/pkg/apiserver/authorization/authorizer"
+	requestctx "kubesphere.io/kubesphere/pkg/apiserver/request"
+
 	"github.com/emicklei/go-restful"
 	"github.com/gorilla/websocket"
 	"k8s.io/client-go/kubernetes"
@@ -37,9 +42,10 @@ var upgrader = websocket.Upgrader{

 type terminalHandler struct {
 	terminaler terminal.Interface
+	authorizer authorizer.Authorizer
 }

-func newTerminalHandler(client kubernetes.Interface, config *rest.Config) *terminalHandler {
+func newTerminalHandler(client kubernetes.Interface, authorizer authorizer.Authorizer, config *rest.Config) *terminalHandler {
 	return &terminalHandler{
 		terminaler: terminal.NewTerminaler(client, config),
 	}
@@ -51,6 +57,29 @@ func (t *terminalHandler) handleTerminalSession(request *restful.Request, respon
 	containerName := request.QueryParameter("container")
 	shell := request.QueryParameter("shell")

+	user, _ := requestctx.UserFrom(request.Request.Context())
+
+	createPodsExec := authorizer.AttributesRecord{
+		User:            user,
+		Verb:            "create",
+		Resource:        "pods",
+		Subresource:     "exec",
+		Namespace:       namespace,
+		ResourceRequest: true,
+		ResourceScope:   requestctx.NamespaceScope,
+	}
+
+	decision, reason, err := t.authorizer.Authorize(createPodsExec)
+	if err != nil {
+		api.HandleInternalError(response, request, err)
+		return
+	}
+
+	if decision != authorizer.DecisionAllow {
+		api.HandleForbidden(response, request, errors.New(reason))
+		return
+	}
+
 	conn, err := upgrader.Upgrade(response.ResponseWriter, request.Request, nil)
 	if err != nil {
 		klog.Warning(err)