chore: version specific fixes

fix: disallow PORT connections to alternate hosts
Ensure the data socket that the server connects to from the PORT command is the same IP as the current command socket. * fix: add error handling to additional connection commands
2020-08-17 14:09:14 -06:00 · 2020-08-17 14:01:12 -06:00
10 changed files with 59 additions and 18 deletions
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "ftp-srv",
-  "version": "0.0.0-development",
+  "version": "3.1.2",
  "description": "Modern, extensible FTP Server",
  "keywords": [
    "ftp",
--- a/src/commands/registration/eprt.js
+++ b/src/commands/registration/eprt.js
@@ -8,14 +8,18 @@ const FAMILY = {

 module.exports = {
  directive: 'EPRT',
-  handler: function ({command} = {}) {
+  handler: function ({log, command} = {}) {
    const [, protocol, ip, port] = _.chain(command).get('arg', '').split('|').value();
    const family = FAMILY[protocol];
    if (!family) return this.reply(504, 'Unknown network protocol');

    this.connector = new ActiveConnector(this);
    return this.connector.setupConnection(ip, port, family)
-    .then(() => this.reply(200));
+    .then(() => this.reply(200))
+    .catch((err) => {
+      log.error(err);
+      return this.reply(err.code || 425, err.message);
+    });
  },
  syntax: '{{cmd}} |<protocol>|<address>|<port>|',
  description: 'Specifies an address and port to which the server should connect'
--- a/src/commands/registration/epsv.js
+++ b/src/commands/registration/epsv.js
@@ -2,13 +2,17 @@ const PassiveConnector = require('../../connector/passive');

 module.exports = {
  directive: 'EPSV',
-  handler: function () {
+  handler: function ({log}) {
    this.connector = new PassiveConnector(this);
    return this.connector.setupServer()
    .then((server) => {
      const {port} = server.address();

      return this.reply(229, `EPSV OK (|||${port}|)`);
+    })
+    .catch((err) => {
+      log.error(err);
+      return this.reply(err.code || 425, err.message);
    });
  },
  syntax: '{{cmd}} [<protocol>]',
--- a/src/commands/registration/pasv.js
+++ b/src/commands/registration/pasv.js
@@ -13,6 +13,10 @@ module.exports = {
      const portByte2 = port % 256;

      return this.reply(227, `PASV OK (${host},${portByte1},${portByte2})`);
+    })
+    .catch((err) => {
+      log.error(err);
+      return this.reply(err.code || 425, err.message);
    });
  },
  syntax: '{{cmd}}',
--- a/src/commands/registration/port.js
+++ b/src/commands/registration/port.js
@@ -14,7 +14,11 @@ module.exports = {
    const port = portBytes[0] * 256 + portBytes[1];

    return this.connector.setupConnection(ip, port)
-    .then(() => this.reply(200));
+    .then(() => this.reply(200))
+    .catch((err) => {
+      log.error(err);
+      return this.reply(err.code || 425, err.message);
+    });
  },
  syntax: '{{cmd}} <x>,<x>,<x>,<x>,<y>,<y>',
  description: 'Specifies an address and port to which the server should connect'
--- a/src/connector/active.js
+++ b/src/connector/active.js
@@ -1,7 +1,9 @@
 const {Socket} = require('net');
 const tls = require('tls');
+const ip = require('ip');
 const Promise = require('bluebird');
 const Connector = require('./base');
+const {SocketError} = require('../errors');

 class Active extends Connector {
  constructor(connection) {
@@ -27,6 +29,10 @@ class Active extends Connector {

    return closeExistingServer()
    .then(() => {
+      if (!ip.isEqual(this.connection.commandSocket.remoteAddress, host)) {
+        throw new SocketError('The given address is not yours', 500);
+      }
+
      this.dataSocket = new Socket();
      this.dataSocket.setEncoding(this.connection.transferType);
      this.dataSocket.on('error', (err) => this.server && this.server.emit('client-error', {connection: this.connection, context: 'dataSocket', error: err}));
--- a/src/connector/base.js
+++ b/src/connector/base.js
@@ -29,7 +29,7 @@ class Connector {
  closeSocket() {
    if (this.dataSocket) {
      const socket = this.dataSocket;
-      this.dataSocket.end(() => socket.destroy());
+      this.dataSocket.end(() => socket && socket.destroy());
      this.dataSocket = null;
    }
  }
--- a/test/commands/registration/eprt.spec.js
+++ b/test/commands/registration/eprt.spec.js
@@ -23,7 +23,7 @@ describe(CMD, function () {
  });

  it('// unsuccessful | no argument', () => {
-    return cmdFn()
+    return cmdFn({})
    .then(() => {
      expect(mockClient.reply.args[0][0]).to.equal(504);
    });
--- a/test/commands/registration/epsv.spec.js
+++ b/test/commands/registration/epsv.spec.js
@@ -25,7 +25,7 @@ describe(CMD, function () {
  });

  it('// successful IPv4', () => {
-    return cmdFn()
+    return cmdFn({})
    .then(() => {
      const [code, message] = mockClient.reply.args[0];
      expect(code).to.equal(229);
--- a/test/connector/active.spec.js
+++ b/test/connector/active.spec.js
@@ -12,14 +12,16 @@ describe('Connector - Active //', function () {
  let getNextPort = getNextPortFactory(1024);
  let PORT;
  let active;
-  let mockConnection = {};
+  let mockConnection = {
+    commandSocket: {
+      remoteAddress: '::ffff:127.0.0.1'
+    }
+  };
  let sandbox;
  let server;

-  before(() => {
-    active = new ActiveConnector(mockConnection);
-  });
  beforeEach((done) => {
+    active = new ActiveConnector(mockConnection);
    sandbox = sinon.sandbox.create().usingPromise(Promise);

    getNextPort()
@@ -30,9 +32,12 @@ describe('Connector - Active //', function () {
      .listen(PORT, () => done());
    });
  });
-  afterEach((done) => {
+
+  afterEach(() => {
    sandbox.restore();
-    server.close(done);
+    server.close();
+    active.end();
+
  });

  it('sets up a connection', function () {
@@ -42,13 +47,27 @@ describe('Connector - Active //', function () {
    });
  });

-  it('destroys existing connection, then sets up a connection', function () {
-    const destroyFnSpy = sandbox.spy(active.dataSocket, 'destroy');
+  it('rejects alternative host', function () {
+    return active.setupConnection('123.45.67.89', PORT)
+    .catch((err) => {
+      expect(err.code).to.equal(500);
+      expect(err.message).to.equal('The given address is not yours');
+    })
+    .finally(() => {
+      expect(active.dataSocket).not.to.exist;
+    });
+  });

+  it('destroys existing connection, then sets up a connection', function () {
    return active.setupConnection('127.0.0.1', PORT)
    .then(() => {
-      expect(destroyFnSpy.callCount).to.equal(1);
-      expect(active.dataSocket).to.exist;
+      const destroyFnSpy = sandbox.spy(active.dataSocket, 'destroy');
+
+      return active.setupConnection('127.0.0.1', PORT)
+      .then(() => {
+        expect(destroyFnSpy.callCount).to.equal(1);
+        expect(active.dataSocket).to.exist;
+      });
    });
  });
Author	SHA1	Message	Date
Tyler Stewart	ddc2dc7803	chore: version specific fixes	2020-08-17 14:09:14 -06:00
Tyler Stewart	5508c2346c	fix: disallow PORT connections to alternate hosts Ensure the data socket that the server connects to from the PORT command is the same IP as the current command socket. * fix: add error handling to additional connection commands	2020-08-17 14:01:12 -06:00