From 6d5a26cfd194e261e11015506c357d175fa4946a Mon Sep 17 00:00:00 2001 From: Sarah Barili Date: Wed, 6 Nov 2024 14:45:41 -0700 Subject: [PATCH 1/4] adding username validation to the invoker ssh server --- internal/codespaces/rpc/invoker.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/internal/codespaces/rpc/invoker.go b/internal/codespaces/rpc/invoker.go index b9d321802..e00b6c304 100644 --- a/internal/codespaces/rpc/invoker.go +++ b/internal/codespaces/rpc/invoker.go @@ -8,6 +8,7 @@ import ( "fmt" "net" "os" + "regexp" "strconv" "strings" "time" @@ -241,6 +242,9 @@ func (i *invoker) StartSSHServerWithOptions(ctx context.Context, options StartSS return 0, "", fmt.Errorf("failed to parse SSH server port: %w", err) } + if !isUsernameValid(response.User) { + return 0, "", fmt.Errorf("invalid username: %s", response.User) + } return port, response.User, nil } @@ -300,3 +304,10 @@ func (i *invoker) notifyCodespaceOfClientActivity(ctx context.Context, activity return nil } + +func isUsernameValid(username string) bool { + // assuming valid usernames are alphanumeric, with these special characters allowed: . _ - + var validUsernamePattern = `^[a-zA-Z0-9._-]+$` + re := regexp.MustCompile(validUsernamePattern) + return re.MatchString(username) +} From a02f84528a43d7cb5e68bf7060e7b7abeecb00ee Mon Sep 17 00:00:00 2001 From: Sarah Barili <103978419+sarahbarili@users.noreply.github.com> Date: Fri, 8 Nov 2024 09:11:44 -0700 Subject: [PATCH 2/4] Update internal/codespaces/rpc/invoker.go Co-authored-by: Caleb Brose <5447118+cmbrose@users.noreply.github.com> --- internal/codespaces/rpc/invoker.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/codespaces/rpc/invoker.go b/internal/codespaces/rpc/invoker.go index e00b6c304..6ba8843ac 100644 --- a/internal/codespaces/rpc/invoker.go +++ b/internal/codespaces/rpc/invoker.go @@ -307,7 +307,7 @@ func (i *invoker) notifyCodespaceOfClientActivity(ctx context.Context, activity func isUsernameValid(username string) bool { // assuming valid usernames are alphanumeric, with these special characters allowed: . _ - - var validUsernamePattern = `^[a-zA-Z0-9._-]+$` + var validUsernamePattern = `^[a-zA-Z0-9_][-.a-zA-Z0-9_]*$` re := regexp.MustCompile(validUsernamePattern) return re.MatchString(username) } From b8ef951de1cff45e56c1847bd0a2ed08e9173e60 Mon Sep 17 00:00:00 2001 From: Andy Feller Date: Wed, 13 Nov 2024 13:04:01 -0500 Subject: [PATCH 3/4] Shorten extension release checking from 3s to 1s Addressing feedback from extension author demonstration about a noticable pause waiting for extension execution to complete due to amount of time waiting on channel. --- pkg/cmd/root/extension.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cmd/root/extension.go b/pkg/cmd/root/extension.go index fcf0549c2..52250a432 100644 --- a/pkg/cmd/root/extension.go +++ b/pkg/cmd/root/extension.go @@ -72,7 +72,7 @@ func NewCmdExtension(io *iostreams.IOStreams, em extensions.ExtensionManager, ex fmt.Fprintf(stderr, "%s\n\n", cs.Yellow(releaseInfo.URL)) } - case <-time.After(3 * time.Second): + case <-time.After(1 * time.Second): // Bail on checking for new extension update as its taking too long } }, From d4262f818386ba4eea60ebdbb1951bf95c284a9f Mon Sep 17 00:00:00 2001 From: Andy Feller Date: Thu, 14 Nov 2024 10:31:36 -0500 Subject: [PATCH 4/4] Mention GitHub CLI team on discussion issues --- .github/workflows/triage.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index 6cd9d981d..849beebad 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -35,6 +35,8 @@ jobs: --- + cc: @github/cli + > $BODY EOF @@ -63,5 +65,7 @@ jobs: --- + cc: @github/cli + > $BODY EOF