MCPcopy
hub / github.com/ContainerSSH/ContainerSSH / OnSubsystem

Method OnSubsystem

internal/security/handler_session.go:206–262  ·  view source on GitHub ↗
(
	requestID uint64,
	subsystem string,
)

Source from the content-addressed store, hash-verified

204}
205
206func (s *sessionHandler) OnSubsystem(
207 requestID uint64,
208 subsystem string,
209) error {
210 mode := s.getPolicy(s.config.Subsystem.Mode)
211 switch mode {
212 case config2.ExecutionPolicyDisable:
213 err := message.UserMessage(
214 message.ESecuritySubsystemRejected,
215 "Subsystem execution disabled.",
216 "Subsystem execution is disabled in the security settings.",
217 )
218 s.logger.Debug(err)
219 return err
220 case config2.ExecutionPolicyFilter:
221 if !s.contains(s.config.Subsystem.Allow, subsystem) {
222 err := message.UserMessage(
223 message.ESecuritySubsystemRejected,
224 "Subsystem execution disabled.",
225 "The specified subsystem does not match the allowed subsystems list.",
226 )
227 s.logger.Debug(err)
228 return err
229 }
230 case config2.ExecutionPolicyEnable:
231 if s.contains(s.config.Subsystem.Deny, subsystem) {
232 err := message.UserMessage(
233 message.ESecuritySubsystemRejected,
234 "Subsystem execution disabled.",
235 "The subsystem execution is rejected because the specified subsystem matches the deny list.",
236 )
237 s.logger.Debug(err)
238 return err
239 }
240 default:
241 }
242 if s.config.ForceCommand == "" {
243 return s.backend.OnSubsystem(requestID, subsystem)
244 }
245 if err := s.backend.OnEnvRequest(requestID, "SSH_ORIGINAL_COMMAND", subsystem); err != nil {
246 err := message.WrapUser(
247 err,
248 message.ESecurityFailedSetEnv,
249 "Could not execute program.",
250 "Command execution failed because the security layer could not set the SSH_ORIGINAL_COMMAND variable.",
251 )
252 s.logger.Error(err)
253 return err
254 }
255 s.logger.Debug(
256 message.NewMessage(
257 message.MSecurityForcingCommand,
258 "Forcing command execution to %s",
259 s.config.ForceCommand,
260 ))
261 return s.backend.OnExecRequest(requestID, s.config.ForceCommand)
262}
263

Callers 1

TestSubsystemFunction · 0.95

Calls 10

getPolicyMethod · 0.95
containsMethod · 0.95
UserMessageFunction · 0.92
WrapUserFunction · 0.92
NewMessageFunction · 0.92
DebugMethod · 0.65
OnSubsystemMethod · 0.65
OnEnvRequestMethod · 0.65
ErrorMethod · 0.65
OnExecRequestMethod · 0.65

Tested by 1

TestSubsystemFunction · 0.76