refactor(ssh): centralize ssh2 internal API access with version guards

Author: fabiovincenzi

package.json

@@ -136,7 +136,7 @@
     "react-html-parser": "^2.0.2",
     "react-router-dom": "6.30.3",
     "simple-git": "^3.30.0",
-    "ssh2": "^1.17.0",
+    "ssh2": "~1.17.0",
     "uuid": "^13.0.0",
     "validator": "^13.15.26",
     "yargs": "^17.7.2"

src/proxy/ssh/AgentForwarding.ts

@@ -24,8 +24,16 @@
 
 import { SSHAgentProxy } from './AgentProxy';
 import { ClientWithUser } from './types';
-
-// Import BaseAgent from ssh2 for custom agent implementation
+import {
+  getProtocol,
+  getChannelManager,
+  findAvailableChannelId,
+  getChannelModule,
+} from './sshInternals';
+
+// Import BaseAgent from ssh2 for custom agent implementation.
+// Like the other accesses in ./sshInternals, this path is not in ssh2's
+// package.json "exports". Verified working on ssh2 ~1.17.0.
 const { BaseAgent } = require('ssh2/lib/agent.js');
 
 /**
@@ -204,45 +212,51 @@ export class LazySSHAgent extends BaseAgent {
 export async function openTemporaryAgentChannel(
   client: ClientWithUser,
 ): Promise<SSHAgentProxy | null> {
-  // Access internal protocol handler (not exposed in public API)
-  const proto = (client as any)._protocol;
-  if (!proto) {
-    console.error('[SSH] No protocol found on client connection');
+  // All ssh2 internals access goes through ./sshInternals, which throws a
+  // clear version-aware error if the internal API has changed.
+  let proto;
+  let chanMgr;
+  let channelModule;
+  try {
+    proto = getProtocol(client);
+    chanMgr = getChannelManager(client);
+    channelModule = getChannelModule();
+  } catch (err) {
+    console.error('[SSH]', err instanceof Error ? err.message : String(err));
     return null;
   }
 
-  // Find next available channel ID by checking internal ChannelManager
-  // This prevents conflicts with channels that ssh2 might be managing
-  const chanMgr = (client as any)._chanMgr;
-  let localChan = 1; // Start from 1 (0 is typically main session)
-
-  if (chanMgr && chanMgr._channels) {
-    // Find first available channel ID
-    while (chanMgr._channels[localChan] !== undefined) {
-      localChan++;
-    }
-  }
+  // 0 is typically the main session, start scanning from 1
+  const localChan = findAvailableChannelId(chanMgr, 1);
 
   console.log(`[SSH] Opening agent channel with ID ${localChan}`);
 
   return new Promise((resolve) => {
-    const originalHandler = (proto as any)._handlers.CHANNEL_OPEN_CONFIRMATION;
-    const handlerWrapper = (self: any, info: any) => {
+    const originalHandler = proto._handlers.CHANNEL_OPEN_CONFIRMATION;
+
+    const restoreHandler = () => {
       if (originalHandler) {
-        originalHandler(self, info);
+        proto._handlers.CHANNEL_OPEN_CONFIRMATION = originalHandler;
+      } else {
+        delete proto._handlers.CHANNEL_OPEN_CONFIRMATION;
       }
+    };
 
-      if (info.recipient === localChan) {
-        clearTimeout(timeout);
+    const handlerWrapper = (...args: unknown[]) => {
+      if (originalHandler) {
+        originalHandler(...args);
+      }
 
-        // Restore original handler
-        if (originalHandler) {
-          (proto as any)._handlers.CHANNEL_OPEN_CONFIRMATION = originalHandler;
-        } else {
-          delete (proto as any)._handlers.CHANNEL_OPEN_CONFIRMATION;
-        }
+      const info = args[1] as {
+        recipient?: number;
+        sender: number;
+        window: number;
+        packetSize: number;
+      };
+      if (info?.recipient === localChan) {
+        clearTimeout(timeout);
+        restoreHandler();
 
-        // Create a Channel object manually
         try {
           const channelInfo = {
             type: 'auth-agent@openssh.com',
@@ -260,18 +274,15 @@ export async function openTemporaryAgentChannel(
             },
           };
 
-          const { Channel } = require('ssh2/lib/Channel');
-          const channel = new Channel(client, channelInfo, { server: true });
+          const channel = new channelModule.Channel(client, channelInfo, { server: true });
 
           // Register channel with ChannelManager
-          const chanMgr = (client as any)._chanMgr;
-          if (chanMgr) {
-            chanMgr._channels[localChan] = channel;
-            chanMgr._count++;
-          }
-
-          // Create the agent proxy
-          const agentProxy = new SSHAgentProxy(channel);
+          chanMgr._channels[localChan] = channel;
+          chanMgr._count++;
+
+          const agentProxy = new SSHAgentProxy(
+            channel as ConstructorParameters<typeof SSHAgentProxy>[0],
+          );
           resolve(agentProxy);
         } catch (err) {
           console.error('[SSH] Failed to create Channel/AgentProxy:', err);
@@ -280,22 +291,15 @@ export async function openTemporaryAgentChannel(
       }
     };
 
-    // Install our handler
-    (proto as any)._handlers.CHANNEL_OPEN_CONFIRMATION = handlerWrapper;
+    proto._handlers.CHANNEL_OPEN_CONFIRMATION = handlerWrapper;
 
     const timeout = setTimeout(() => {
       console.error('[SSH] Timeout waiting for channel confirmation');
-      if (originalHandler) {
-        (proto as any)._handlers.CHANNEL_OPEN_CONFIRMATION = originalHandler;
-      } else {
-        delete (proto as any)._handlers.CHANNEL_OPEN_CONFIRMATION;
-      }
+      restoreHandler();
       resolve(null);
     }, 5000);
 
-    // Send the channel open request
-    const { MAX_WINDOW, PACKET_SIZE } = require('ssh2/lib/Channel');
-    proto.openssh_authAgent(localChan, MAX_WINDOW, PACKET_SIZE);
+    proto.openssh_authAgent(localChan, channelModule.MAX_WINDOW, channelModule.PACKET_SIZE);
   });
 }
 

src/proxy/ssh/server.ts

@@ -30,6 +30,7 @@ import { ClientWithUser, SSH2ServerOptions } from './types';
 import { createMockResponse } from './sshHelpers';
 import { processGitUrl } from '../routes/helper';
 import { ensureHostKey } from './hostKeyManager';
+import { getProtocol, getSessionOutgoingChannelId } from './sshInternals';
 
 export class SSHServer {
   private server: ssh2.Server;
@@ -264,17 +265,18 @@ export class SSHServer {
         if (typeof accept === 'function') {
           accept();
         } else {
-          // Client sent wantReply=false, manually send CHANNEL_SUCCESS
+          // Client sent wantReply=false, manually send CHANNEL_SUCCESS via ssh2 internals.
           try {
-            const channelInfo = (session as any)._chanInfo;
-            if (channelInfo && channelInfo.outgoing && channelInfo.outgoing.id !== undefined) {
-              const proto = (client as any)._protocol || (client as any)._sock;
-              if (proto && typeof proto.channelSuccess === 'function') {
-                proto.channelSuccess(channelInfo.outgoing.id);
-              }
+            const outgoingChannelId = getSessionOutgoingChannelId(session);
+            if (outgoingChannelId !== undefined) {
+              const proto = getProtocol(client);
+              proto.channelSuccess(outgoingChannelId);
             }
           } catch (err) {
-            console.error('[SSH] Failed to send CHANNEL_SUCCESS:', err);
+            console.error(
+              '[SSH] Failed to send CHANNEL_SUCCESS:',
+              err instanceof Error ? err.message : String(err),
+            );
           }
         }
 

src/proxy/ssh/sshInternals.ts

@@ -0,0 +1,165 @@
+/**
+ * Copyright 2026 GitProxy Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Thin abstraction over ssh2 internal APIs.
+ *
+ * ssh2 does not expose a public server-side API for opening an
+ * `auth-agent@openssh.com` channel back to the connected client. To implement
+ * SSH agent forwarding from the server side we reach into underscore-prefixed
+ * internals (`_protocol`, `_chanMgr`, `_handlers`) and into the internal module
+ * `ssh2/lib/Channel`. Those symbols have NO semver stability guarantee.
+ *
+ * This module is the ONLY place allowed to access those internals. Every access
+ * is guarded and throws a descriptive, version-aware error when the shape of
+ * the internals changes. If ssh2 is upgraded and something breaks, the error
+ * will tell you which symbol disappeared and on which installed version.
+ *
+ * Verified working against ssh2 1.17.x. The package.json pin is `~1.17.0`
+ * (patch-only) to force a manual review on minor/major bumps.
+ */
+
+import * as ssh2 from 'ssh2';
+
+const ssh2Version: string = (() => {
+  try {
+     
+    return require('ssh2/package.json').version;
+  } catch {
+    return 'unknown';
+  }
+})();
+
+const VERIFIED_RANGE = '1.17.x';
+
+function fail(detail: string): never {
+  throw new Error(
+    `ssh2 internal API changed: ${detail} ` +
+      `(installed ssh2 version: ${ssh2Version}, verified working on ${VERIFIED_RANGE}). ` +
+      `If you upgraded ssh2, review src/proxy/ssh/sshInternals.ts and pin to a known-working version.`,
+  );
+}
+
+export interface Ssh2Protocol {
+  openssh_authAgent(localChan: number, maxWindow: number, packetSize: number): void;
+  channelSuccess(channelId: number): void;
+  _handlers: Record<string, (...args: unknown[]) => unknown>;
+}
+
+export interface Ssh2ChannelManager {
+  _channels: Record<number, unknown>;
+  _count: number;
+}
+
+export interface ChannelConstructor {
+  new (client: unknown, info: unknown, opts: { server: boolean }): unknown;
+}
+
+export interface ChannelModule {
+  Channel: ChannelConstructor;
+  MAX_WINDOW: number;
+  PACKET_SIZE: number;
+}
+
+/**
+ * Retrieve the internal `_protocol` object of an ssh2 Connection.
+ * Throws a descriptive error if the internal shape is not as expected.
+ */
+export function getProtocol(client: ssh2.Connection): Ssh2Protocol {
+  const proto = (client as unknown as { _protocol?: unknown })._protocol as
+    | Partial<Ssh2Protocol>
+    | undefined;
+  if (!proto) fail('client._protocol is missing');
+  if (typeof proto.openssh_authAgent !== 'function') {
+    fail('client._protocol.openssh_authAgent is missing or not a function');
+  }
+  if (typeof proto.channelSuccess !== 'function') {
+    fail('client._protocol.channelSuccess is missing or not a function');
+  }
+  if (!proto._handlers || typeof proto._handlers !== 'object') {
+    fail('client._protocol._handlers is missing or not an object');
+  }
+  return proto as Ssh2Protocol;
+}
+
+/**
+ * Retrieve the internal `_chanMgr` object of an ssh2 Connection.
+ */
+export function getChannelManager(client: ssh2.Connection): Ssh2ChannelManager {
+  const chanMgr = (client as unknown as { _chanMgr?: unknown })._chanMgr as
+    | Partial<Ssh2ChannelManager>
+    | undefined;
+  if (!chanMgr) fail('client._chanMgr is missing');
+  if (!chanMgr._channels || typeof chanMgr._channels !== 'object') {
+    fail('client._chanMgr._channels is missing or not an object');
+  }
+  if (typeof chanMgr._count !== 'number') {
+    fail('client._chanMgr._count is missing or not a number');
+  }
+  return chanMgr as Ssh2ChannelManager;
+}
+
+/**
+ * Find the first channel ID not currently in use by the given channel manager.
+ * Starts scanning at `startId` (default 1; 0 is typically the main session).
+ */
+export function findAvailableChannelId(chanMgr: Ssh2ChannelManager, startId = 1): number {
+  let id = startId;
+  while (chanMgr._channels[id] !== undefined) id++;
+  return id;
+}
+
+let cachedChannelModule: ChannelModule | null = null;
+
+/**
+ * Load the internal `ssh2/lib/Channel` module and validate its exports.
+ * The result is cached for subsequent calls.
+ */
+export function getChannelModule(): ChannelModule {
+  if (cachedChannelModule) return cachedChannelModule;
+
+  let mod: Partial<ChannelModule>;
+  try {
+     
+    mod = require('ssh2/lib/Channel');
+  } catch (err) {
+    fail(`cannot require('ssh2/lib/Channel'): ${err instanceof Error ? err.message : String(err)}`);
+  }
+  if (typeof mod.Channel !== 'function') fail('ssh2/lib/Channel does not export Channel');
+  if (typeof mod.MAX_WINDOW !== 'number') fail('ssh2/lib/Channel does not export MAX_WINDOW');
+  if (typeof mod.PACKET_SIZE !== 'number') fail('ssh2/lib/Channel does not export PACKET_SIZE');
+
+  cachedChannelModule = mod as ChannelModule;
+  return cachedChannelModule;
+}
+
+/**
+ * Extract the outgoing channel id from an ssh2 server session via its internal
+ * `_chanInfo` property. Returns undefined if the info is not available yet.
+ * Used to send a manual CHANNEL_SUCCESS when the client sets wantReply=false.
+ */
+export function getSessionOutgoingChannelId(session: unknown): number | undefined {
+  const info = (session as { _chanInfo?: { outgoing?: { id?: unknown } } } | undefined)?._chanInfo;
+  const id = info?.outgoing?.id;
+  return typeof id === 'number' ? id : undefined;
+}
+
+/**
+ * For tests: exposes the installed version string.
+ */
+export function getInstalledSsh2Version(): string {
+  return ssh2Version;
+}