chore: version specific fixes

fix: disallow PORT connections to alternate hosts
Ensure the data socket that the server connects to from the PORT command is the same IP as the current command socket. * fix: add error handling to additional connection commands
2020-08-17 14:22:13 -06:00 · 2020-08-17 14:18:50 -06:00
11 changed files with 62 additions and 21 deletions
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "ftp-srv",
-  "version": "0.0.0-development",
+  "version": "2.19.6",
  "description": "Modern, extensible FTP Server",
  "keywords": [
    "ftp",
--- a/src/commands/registration/eprt.js
+++ b/src/commands/registration/eprt.js
@@ -8,14 +8,18 @@ const FAMILY = {

 module.exports = {
  directive: 'EPRT',
-  handler: function ({command} = {}) {
+  handler: function ({log, command} = {}) {
    const [, protocol, ip, port] = _.chain(command).get('arg', '').split('|').value();
    const family = FAMILY[protocol];
    if (!family) return this.reply(504, 'Unknown network protocol');

    this.connector = new ActiveConnector(this);
    return this.connector.setupConnection(ip, port, family)
-    .then(() => this.reply(200));
+    .then(() => this.reply(200))
+    .catch((err) => {
+      log.error(err);
+      return this.reply(err.code || 425, err.message);
+    });
  },
  syntax: '{{cmd}} |<protocol>|<address>|<port>|',
  description: 'Specifies an address and port to which the server should connect'
--- a/src/commands/registration/epsv.js
+++ b/src/commands/registration/epsv.js
@@ -2,13 +2,17 @@ const PassiveConnector = require('../../connector/passive');

 module.exports = {
  directive: 'EPSV',
-  handler: function () {
+  handler: function ({log}) {
    this.connector = new PassiveConnector(this);
    return this.connector.setupServer()
    .then(server => {
      const {port} = server.address();

      return this.reply(229, `EPSV OK (|||${port}|)`);
+    })
+    .catch((err) => {
+      log.error(err);
+      return this.reply(err.code || 425, err.message);
    });
  },
  syntax: '{{cmd}} [<protocol>]',
--- a/src/commands/registration/pasv.js
+++ b/src/commands/registration/pasv.js
@@ -13,6 +13,10 @@ module.exports = {
      const portByte2 = port % 256;

      return this.reply(227, `PASV OK (${host},${portByte1},${portByte2})`);
+    })
+    .catch((err) => {
+      log.error(err);
+      return this.reply(err.code || 425, err.message);
    });
  },
  syntax: '{{cmd}}',
--- a/src/commands/registration/port.js
+++ b/src/commands/registration/port.js
@@ -14,7 +14,11 @@ module.exports = {
    const port = portBytes[0] * 256 + portBytes[1];

    return this.connector.setupConnection(ip, port)
-    .then(() => this.reply(200));
+    .then(() => this.reply(200))
+    .catch((err) => {
+      log.error(err);
+      return this.reply(err.code || 425, err.message);
+    });
  },
  syntax: '{{cmd}} <x>,<x>,<x>,<x>,<y>,<y>',
  description: 'Specifies an address and port to which the server should connect'
--- a/src/connector/active.js
+++ b/src/connector/active.js
@@ -1,7 +1,9 @@
 const {Socket} = require('net');
 const tls = require('tls');
+const ip = require('ip');
 const Promise = require('bluebird');
 const Connector = require('./base');
+const {SocketError} = require('../errors');

 class Active extends Connector {
  constructor(connection) {
@@ -27,6 +29,10 @@ class Active extends Connector {

    return closeExistingServer()
    .then(() => {
+      if (!ip.isEqual(this.connection.commandSocket.remoteAddress, host)) {
+        throw new SocketError('The given address is not yours', 500);
+      }
+
      this.dataSocket = new Socket();
      this.dataSocket.setEncoding(this.connection.transferType);
      this.dataSocket.on('error', err => this.server && this.server.emit('client-error', {connection: this.connection, context: 'dataSocket', error: err}));
--- a/src/connector/base.js
+++ b/src/connector/base.js
@@ -28,7 +28,7 @@ class Connector {

  end() {
    const closeDataSocket = new Promise(resolve => {
-      if (this.dataSocket) this.dataSocket.end();
+      if (this.dataSocket) this.dataSocket.end(() => this.dataSocket && this.dataSocket.destroy());
      else resolve();
    });
    const closeDataServer = new Promise(resolve => {
--- a/test/commands/registration/eprt.spec.js
+++ b/test/commands/registration/eprt.spec.js
@@ -23,7 +23,7 @@ describe(CMD, function () {
  });

  it('// unsuccessful | no argument', () => {
-    return cmdFn()
+    return cmdFn({})
    .then(() => {
      expect(mockClient.reply.args[0][0]).to.equal(504);
    });
--- a/test/commands/registration/epsv.spec.js
+++ b/test/commands/registration/epsv.spec.js
@@ -25,7 +25,7 @@ describe(CMD, function () {
  });

  it('// successful IPv4', () => {
-    return cmdFn()
+    return cmdFn({})
    .then(() => {
      const [code, message] = mockClient.reply.args[0];
      expect(code).to.equal(229);
--- a/test/connector/active.spec.js
+++ b/test/connector/active.spec.js
@@ -1,6 +1,7 @@
 /* eslint no-unused-expressions: 0 */
 const {expect} = require('chai');
 const sinon = require('sinon');
+const Promise = require('bluebird');

 const net = require('net');
 const tls = require('tls');
@@ -11,15 +12,17 @@ const findPort = require('../../src/helpers/find-port');
 describe('Connector - Active //', function () {
  let PORT;
  let active;
-  let mockConnection = {};
+  let mockConnection = {
+    commandSocket: {
+      remoteAddress: '::ffff:127.0.0.1'
+    }
+  };
  let sandbox;
  let server;

-  before(() => {
+  beforeEach((done) => {
    active = new ActiveConnector(mockConnection);
-  });
-  beforeEach(done => {
-    sandbox = sinon.sandbox.create();
+    sandbox = sinon.sandbox.create().usingPromise(Promise);

    findPort()
    .then(port => {
@@ -29,9 +32,11 @@ describe('Connector - Active //', function () {
      .listen(PORT, () => done());
    });
  });
-  afterEach(done => {
+
+  afterEach(() => {
    sandbox.restore();
-    server.close(done);
+    server.close();
+    active.end();
  });

  it('sets up a connection', function () {
@@ -41,13 +46,27 @@ describe('Connector - Active //', function () {
    });
  });

-  it('destroys existing connection, then sets up a connection', function () {
-    const destroyFnSpy = sandbox.spy(active.dataSocket, 'destroy');
+  it('rejects alternative host', function () {
+    return active.setupConnection('123.45.67.89', PORT)
+    .catch((err) => {
+      expect(err.code).to.equal(500);
+      expect(err.message).to.equal('The given address is not yours');
+    })
+    .finally(() => {
+      expect(active.dataSocket).not.to.exist;
+    });
+  });

+  it('destroys existing connection, then sets up a connection', function () {
    return active.setupConnection('127.0.0.1', PORT)
    .then(() => {
-      expect(destroyFnSpy.callCount).to.equal(1);
-      expect(active.dataSocket).to.exist;
+      const destroyFnSpy = sandbox.spy(active.dataSocket, 'destroy');
+
+      return active.setupConnection('127.0.0.1', PORT)
+      .then(() => {
+        expect(destroyFnSpy.callCount).to.equal(1);
+        expect(active.dataSocket).to.exist;
+      });
    });
  });

--- a/test/helpers/find-port.spec.js
+++ b/test/helpers/find-port.spec.js
@@ -20,8 +20,8 @@ describe('helpers // find-port', function () {
  it('finds a port', () => {
    return findPort(1)
    .then(port => {
-      expect(Server.prototype.listen.callCount).to.be.above(1);
-      expect(port).to.be.above(1);
+      expect(Server.prototype.listen.callCount).to.be.above(0);
+      expect(port).to.be.above(0);
    });
  });
Author	SHA1	Message	Date
Tyler Stewart	79438158f3	chore: version specific fixes	2020-08-17 14:22:13 -06:00
Tyler Stewart	fb32b012c3	fix: disallow PORT connections to alternate hosts Ensure the data socket that the server connects to from the PORT command is the same IP as the current command socket. * fix: add error handling to additional connection commands	2020-08-17 14:18:50 -06:00