cli/connhelper: quote ssh arguments to prevent shell injection

When connecting to a remote daemon through an ssh:// connection,
the CLI connects with the remote host using ssh, executing the
`docker system dial-stdio` command on the remote host to connect
to the daemon API's unix socket.

By default, the `docker system dial-stdio` command connects with the
daemon using the default location (/var/run/docker.sock), or the
location as configured on the remote host.

Commit 25ebf0e (included in docker
CLI v24.0.0-rc.2 and higher) introduced a feature to allow the location
of the socket to be specified through the host connection string, for
example:

     DOCKER_HOST='ssh://example.test/run/custom-docker.sock'

The custom path is included as part of the ssh command executed from
the client machine to connect with the remote host. THe example above
would execute the following command from the client machine;

    ssh -o ConnectTimeout=30 -T -- example.test docker --host unix:///run/custom-docker.sock system dial-stdio

ssh executes remote commands in a shell environment, and no quoting
was in place, which allowed for a connection string to include additional
content, which would be expanded / executed on the remote machine.

For example, the following example would execute `echo hello > /hello.txt`
on the remote machine;

    export DOCKER_HOST='ssh://example.test/var/run/docker.sock $(echo hello > /hello.txt)'
    docker info
    # (output of docker info from the remote machine)

While this doesn't allow the user to do anything they're not already
able to do so (by directly using the same SSH connection), the behavior
is not expected, so this patch adds quoting to prevent such URLs from
resulting in expansion.

This patch updates the cli/connhelper and cli/connhelper/ssh package to
quote parameters used in the ssh command to prevent code execution and
expansion of variables on the remote machine. Quoting is also applied to
other parameters that are obtained from the DOCKER_HOST url, such as username
and hostname.

- The existing `Spec.Args()` method inthe cli/connhelper/ssh package now
  quotes arguments, and returns a nil slice when failing to quote. Users
  of this package should therefore check the returned arguments before
  consuming. This  method did not provide an error-return, and adding
  one would be a breaking change.
- A new `Spec.Command` method is introduced, which (unlike the `Spec.Args()`
  method) provides an error return. Users are recommended to use this new
  method instead of the `Spec.Args()` method.

Some minor additional changes in behavior are included in this patch;

- Connection URLs with a trailing slash (e.g. `ssh://example.test/`)
  would previously result in `unix:///` being used as custom socket
  path. After this patch, the trailing slash is ignored, and no custom
  socket path is used.
- Specifying a remote command is now required. When passing an empty
  remote command, `Spec.Args()` now results in a `nil` value to be
  returned (or an `no remote command specified` error when using
  `Spec.Comnmand()`.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

Author: thaJeztah

cli/connhelper/connhelper.go

@@ -47,14 +47,19 @@ func getConnectionHelper(daemonURL string, sshFlags []string) (*ConnectionHelper
 		}
 		sshFlags = addSSHTimeout(sshFlags)
 		sshFlags = disablePseudoTerminalAllocation(sshFlags)
+
+		remoteCommand := []string{"docker", "system", "dial-stdio"}
+		socketPath := sp.Path
+		if strings.Trim(sp.Path, "/") != "" {
+			remoteCommand = []string{"docker", "--host=unix://" + socketPath, "system", "dial-stdio"}
+		}
+		sshArgs, err := sp.Command(sshFlags, remoteCommand...)
+		if err != nil {
+			return nil, err
+		}
 		return &ConnectionHelper{
 			Dialer: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				args := []string{"docker"}
-				if sp.Path != "" {
-					args = append(args, "--host", "unix://"+sp.Path)
-				}
-				args = append(args, "system", "dial-stdio")
-				return commandconn.New(ctx, "ssh", append(sshFlags, sp.Args(args...)...)...)
+				return commandconn.New(ctx, "ssh", sshArgs...)
 			},
 			Host: "http://docker.example.com",
 		}, nil

cli/connhelper/ssh/ssh.go

@@ -5,6 +5,8 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+
+	"github.com/docker/cli/cli/connhelper/internal/syntax"
 )
 
 // ParseURL creates a [Spec] from the given ssh URL. It returns an error if
@@ -76,16 +78,106 @@ type Spec struct {
 	Path string
 }
 
-// Args returns args except "ssh" itself combined with optional additional command args
-func (sp *Spec) Args(add ...string) []string {
+// Args returns args except "ssh" itself combined with optional additional
+// command and args to be executed on the remote host. It attempts to quote
+// the given arguments to account for ssh executing the remote command in a
+// shell. It returns nil when unable to quote the remote command.
+func (sp *Spec) Args(remoteCommandAndArgs ...string) []string {
+	// Format the remote command to run using the ssh connection, quoting
+	// values where needed because ssh executes these in a POSIX shell.
+	remoteCommand, err := quoteCommand(remoteCommandAndArgs...)
+	if err != nil {
+		return nil
+	}
+
+	sshArgs, err := sp.args()
+	if err != nil {
+		return nil
+	}
+	if remoteCommand != "" {
+		sshArgs = append(sshArgs, remoteCommand)
+	}
+	return sshArgs
+}
+
+func (sp *Spec) args(sshFlags ...string) ([]string, error) {
 	var args []string
+	if sp.Host == "" {
+		return nil, errors.New("no host specified")
+	}
 	if sp.User != "" {
-		args = append(args, "-l", sp.User)
+		// Quote user, as it's obtained from the URL.
+		usr, err := syntax.Quote(sp.User, syntax.LangPOSIX)
+		if err != nil {
+			return nil, fmt.Errorf("invalid user: %w", err)
+		}
+		args = append(args, "-l", usr)
 	}
 	if sp.Port != "" {
-		args = append(args, "-p", sp.Port)
+		// Quote port, as it's obtained from the URL.
+		port, err := syntax.Quote(sp.Port, syntax.LangPOSIX)
+		if err != nil {
+			return nil, fmt.Errorf("invalid port: %w", err)
+		}
+		args = append(args, "-p", port)
+	}
+
+	// We consider "sshFlags" to be "trusted", and set from code only,
+	// as they are not parsed from the DOCKER_HOST URL.
+	args = append(args, sshFlags...)
+
+	host, err := syntax.Quote(sp.Host, syntax.LangPOSIX)
+	if err != nil {
+		return nil, fmt.Errorf("invalid host: %w", err)
+	}
+
+	return append(args, "--", host), nil
+}
+
+// Command returns the ssh flags and arguments to execute a command
+// (remoteCommandAndArgs) on the remote host. Where needed, it quotes
+// values passed in remoteCommandAndArgs to account for ssh executing
+// the remote command in a shell. It returns an error if no remote command
+// is passed, or when unable to quote the remote command.
+//
+// Important: to preserve backward-compatibility, Command does not currently
+// perform sanitization or quoting on the sshFlags and callers are expected
+// to sanitize this argument.
+func (sp *Spec) Command(sshFlags []string, remoteCommandAndArgs ...string) ([]string, error) {
+	if len(remoteCommandAndArgs) == 0 {
+		return nil, errors.New("no remote command specified")
+	}
+	sshArgs, err := sp.args(sshFlags...)
+	if err != nil {
+		return nil, err
+	}
+	remoteCommand, err := quoteCommand(remoteCommandAndArgs...)
+	if err != nil {
+		return nil, err
+	}
+	if remoteCommand != "" {
+		sshArgs = append(sshArgs, remoteCommand)
+	}
+	return sshArgs, nil
+}
+
+// quoteCommand returns the remote command to run using the ssh connection
+// as a single string, quoting values where needed because ssh executes
+// these in a POSIX shell.
+func quoteCommand(commandAndArgs ...string) (string, error) {
+	var quotedCmd string
+	for i, arg := range commandAndArgs {
+		a, err := syntax.Quote(arg, syntax.LangPOSIX)
+		if err != nil {
+			return "", fmt.Errorf("invalid argument: %w", err)
+		}
+		if i == 0 {
+			quotedCmd = a
+			continue
+		}
+		quotedCmd += " " + a
 	}
-	args = append(args, "--", sp.Host)
-	args = append(args, add...)
-	return args
+	// each part is quoted appropriately, so now we'll have a full
+	// shell command to pass off to "ssh"
+	return quotedCmd, nil
 }

cli/connhelper/ssh/ssh_test.go

@@ -1,6 +1,7 @@
 package ssh
 
 import (
+	"strings"
 	"testing"
 
 	"gotest.tools/v3/assert"
@@ -26,6 +27,28 @@ func TestParseURL(t *testing.T) {
 				Host: "example.com",
 			},
 		},
+		{
+			doc: "bare ssh URL with trailing slash",
+			url: "ssh://example.com/",
+			expectedArgs: []string{
+				"--", "example.com",
+			},
+			expectedSpec: Spec{
+				Host: "example.com",
+				Path: "/",
+			},
+		},
+		{
+			doc: "bare ssh URL with trailing slashes",
+			url: "ssh://example.com//",
+			expectedArgs: []string{
+				"--", "example.com",
+			},
+			expectedSpec: Spec{
+				Host: "example.com",
+				Path: "//",
+			},
+		},
 		{
 			doc: "bare ssh URL and remote command",
 			url: "ssh://example.com",
@@ -34,7 +57,7 @@ func TestParseURL(t *testing.T) {
 			},
 			expectedArgs: []string{
 				"--", "example.com",
-				"docker", "system", "dial-stdio",
+				`docker system dial-stdio`,
 			},
 			expectedSpec: Spec{
 				Host: "example.com",
@@ -48,7 +71,7 @@ func TestParseURL(t *testing.T) {
 			},
 			expectedArgs: []string{
 				"--", "example.com",
-				"docker", "--host", "unix:///var/run/docker.sock", "system", "dial-stdio",
+				`docker --host unix:///var/run/docker.sock system dial-stdio`,
 			},
 			expectedSpec: Spec{
 				Host: "example.com",
@@ -84,6 +107,25 @@ func TestParseURL(t *testing.T) {
 				Path: "/var/run/docker.sock",
 			},
 		},
+		{
+			// This test is only to verify the behavior of ParseURL to
+			// pass through the Path as-is. Neither Spec.Args, nor
+			// Spec.Command use the Path field directly, and it should
+			// likely be deprecated.
+			doc: "bad path",
+			url: `ssh://example.com/var/run/docker.sock '$(echo hello > /hello.txt)'`,
+			remoteCommand: []string{
+				"docker", "--host", `unix:///var/run/docker.sock '$(echo hello > /hello.txt)'`, "system", "dial-stdio",
+			},
+			expectedArgs: []string{
+				"--", "example.com",
+				`docker --host "unix:///var/run/docker.sock '\$(echo hello > /hello.txt)'" system dial-stdio`,
+			},
+			expectedSpec: Spec{
+				Host: "example.com",
+				Path: `/var/run/docker.sock '$(echo hello > /hello.txt)'`,
+			},
+		},
 		{
 			doc:           "malformed URL",
 			url:           "malformed %%url",
@@ -123,6 +165,21 @@ func TestParseURL(t *testing.T) {
 			url:           "https://example.com",
 			expectedError: `invalid SSH URL: incorrect scheme: https`,
 		},
+		{
+			doc:           "invalid URL with NUL character",
+			url:           "ssh://example.com/var/run/\x00docker.sock",
+			expectedError: `invalid SSH URL: net/url: invalid control character in URL`,
+		},
+		{
+			doc:           "invalid URL with newline character",
+			url:           "ssh://example.com/var/run/docker.sock\n",
+			expectedError: `invalid SSH URL: net/url: invalid control character in URL`,
+		},
+		{
+			doc:           "invalid URL with control character",
+			url:           "ssh://example.com/var/run/\x1bdocker.sock",
+			expectedError: `invalid SSH URL: net/url: invalid control character in URL`,
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.doc, func(t *testing.T) {
@@ -139,3 +196,122 @@ func TestParseURL(t *testing.T) {
 		})
 	}
 }
+
+func TestCommand(t *testing.T) {
+	testCases := []struct {
+		doc           string
+		url           string
+		sshFlags      []string
+		customCmd     []string
+		expectedCmd   []string
+		expectedError string
+	}{
+		{
+			doc: "bare ssh URL",
+			url: "ssh://example.com",
+			expectedCmd: []string{
+				"--", "example.com",
+				"docker system dial-stdio",
+			},
+		},
+		{
+			doc: "bare ssh URL with trailing slash",
+			url: "ssh://example.com/",
+			expectedCmd: []string{
+				"--", "example.com",
+				"docker system dial-stdio",
+			},
+		},
+		{
+			doc:      "bare ssh URL with custom ssh flags",
+			url:      "ssh://example.com",
+			sshFlags: []string{"-T", "-o", "ConnectTimeout=30", "-oStrictHostKeyChecking=no"},
+			expectedCmd: []string{
+				"-T",
+				"-o", "ConnectTimeout=30",
+				"-oStrictHostKeyChecking=no",
+				"--", "example.com",
+				"docker system dial-stdio",
+			},
+		},
+		{
+			doc:      "ssh URL with all options",
+			url:      "ssh://[email protected]:10022/var/run/docker.sock",
+			sshFlags: []string{"-T", "-o ConnectTimeout=30"},
+			expectedCmd: []string{
+				"-l", "me",
+				"-p", "10022",
+				"-T",
+				"-o ConnectTimeout=30",
+				"--", "example.com",
+				"docker '--host=unix:///var/run/docker.sock' system dial-stdio",
+			},
+		},
+		{
+			doc:      "bad ssh flags",
+			url:      "ssh://example.com",
+			sshFlags: []string{"-T", "-o", `ConnectTimeout=30 $(echo hi > /hi.txt)`},
+			expectedCmd: []string{
+				"-T",
+				"-o", `ConnectTimeout=30 $(echo hi > /hi.txt)`,
+				"--", "example.com",
+				"docker system dial-stdio",
+			},
+		},
+		{
+			doc: "bad username",
+			url: `ssh://$(shutdown)[email protected]`,
+			expectedCmd: []string{
+				"-l", `'$(shutdown)me'`,
+				"--", "example.com",
+				"docker system dial-stdio",
+			},
+		},
+		{
+			doc: "bad hostname",
+			url: `ssh://$(shutdown)example.com`,
+			expectedCmd: []string{
+				"--", `'$(shutdown)example.com'`,
+				"docker system dial-stdio",
+			},
+		},
+		{
+			doc: "bad path",
+			url: `ssh://example.com/var/run/docker.sock '$(echo hello > /hello.txt)'`,
+			expectedCmd: []string{
+				"--", "example.com",
+				`docker "--host=unix:///var/run/docker.sock '\$(echo hello > /hello.txt)'" system dial-stdio`,
+			},
+		},
+		{
+			doc:           "missing command",
+			url:           "ssh://example.com",
+			customCmd:     []string{},
+			expectedError: "no remote command specified",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.doc, func(t *testing.T) {
+			sp, err := ParseURL(tc.url)
+			assert.NilError(t, err)
+
+			var commandAndArgs []string
+			if tc.customCmd == nil {
+				socketPath := sp.Path
+				commandAndArgs = []string{"docker", "system", "dial-stdio"}
+				if strings.Trim(socketPath, "/") != "" {
+					commandAndArgs = []string{"docker", "--host=unix://" + socketPath, "system", "dial-stdio"}
+				}
+			}
+
+			actualCmd, err := sp.Command(tc.sshFlags, commandAndArgs...)
+			if tc.expectedError == "" {
+				assert.NilError(t, err)
+				assert.Check(t, is.DeepEqual(actualCmd, tc.expectedCmd), "%+#v", actualCmd)
+			} else {
+				assert.Check(t, is.Error(err, tc.expectedError))
+				assert.Check(t, is.Nil(actualCmd))
+			}
+		})
+	}
+}