Skip to content

Commit d49b15f

Browse files
yosuke-wolfsslejohnstown
authored andcommitted
SFTP path confinement and status-reply refactor
1 parent 12d39dd commit d49b15f

7 files changed

Lines changed: 973 additions & 275 deletions

File tree

.github/workflows/network-contention-test.yml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -111,13 +111,13 @@ jobs:
111111
run: sudo apt-get update && sudo apt-get install -y expect
112112

113113
- name: Create large test files
114+
working-directory: ./wolfssh/
114115
run: |
115-
dd if=/dev/urandom of=/tmp/test_1kb.dat bs=1K count=1
116-
dd if=/dev/urandom of=/tmp/test_2mb.dat bs=1M count=2
117-
dd if=/dev/urandom of=/tmp/test_10mb.dat bs=1M count=10
118-
md5sum /tmp/test_*.dat > /tmp/test_checksums.md5
116+
dd if=/dev/urandom of=test_1kb.dat bs=1K count=1
117+
dd if=/dev/urandom of=test_2mb.dat bs=1M count=2
118+
dd if=/dev/urandom of=test_10mb.dat bs=1M count=10
119119
echo "Test files created:"
120-
ls -la /tmp/test_*.dat
120+
ls -la test_*.dat
121121
122122
- name: Run extended SFTP file transfer tests
123123
working-directory: ./wolfssh/
@@ -148,8 +148,8 @@ jobs:
148148
149149
# Test 1KB file transfer
150150
echo "Testing 1KB file transfer..."
151-
/tmp/sftp_test.exp /tmp/test_1kb.dat /tmp/recv_1kb.dat
152-
if ! cmp -s /tmp/test_1kb.dat /tmp/recv_1kb.dat; then
151+
/tmp/sftp_test.exp test_1kb.dat /tmp/recv_1kb.dat
152+
if ! cmp -s test_1kb.dat /tmp/recv_1kb.dat; then
153153
echo "FAILED: 1KB file integrity check"
154154
kill $SERVER_PID 2>/dev/null || true
155155
exit 1
@@ -158,8 +158,8 @@ jobs:
158158
159159
# Test 2MB file transfer
160160
echo "Testing 2MB file transfer..."
161-
/tmp/sftp_test.exp /tmp/test_2mb.dat /tmp/recv_2mb.dat
162-
if ! cmp -s /tmp/test_2mb.dat /tmp/recv_2mb.dat; then
161+
/tmp/sftp_test.exp test_2mb.dat /tmp/recv_2mb.dat
162+
if ! cmp -s test_2mb.dat /tmp/recv_2mb.dat; then
163163
echo "FAILED: 2MB file integrity check"
164164
kill $SERVER_PID 2>/dev/null || true
165165
exit 1
@@ -168,8 +168,8 @@ jobs:
168168
169169
# Test 10MB file transfer
170170
echo "Testing 10MB file transfer..."
171-
/tmp/sftp_test.exp /tmp/test_10mb.dat /tmp/recv_10mb.dat
172-
if ! cmp -s /tmp/test_10mb.dat /tmp/recv_10mb.dat; then
171+
/tmp/sftp_test.exp test_10mb.dat /tmp/recv_10mb.dat
172+
if ! cmp -s test_10mb.dat /tmp/recv_10mb.dat; then
173173
echo "FAILED: 10MB file integrity check"
174174
kill $SERVER_PID 2>/dev/null || true
175175
exit 1

.github/workflows/paramiko-sftp-test.yml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -167,17 +167,19 @@ jobs:
167167
print("Opening SFTP session...")
168168
sftp = ssh.open_sftp()
169169
170+
remote_path = 'test_upload.dat'
171+
170172
# Upload test
171173
print("Uploading 20MB test file...")
172174
start_time = time.time()
173-
sftp.put('/tmp/sftp_upload/test_upload.dat', '/tmp/test_upload.dat')
175+
sftp.put('/tmp/sftp_upload/test_upload.dat', remote_path)
174176
upload_time = time.time() - start_time
175177
print(f"Upload completed in {upload_time:.2f} seconds")
176178
177179
# Download test
178180
print("Downloading 20MB test file...")
179181
start_time = time.time()
180-
sftp.get('/tmp/test_upload.dat', '/tmp/sftp_download/test_download.dat')
182+
sftp.get(remote_path, '/tmp/sftp_download/test_download.dat')
181183
download_time = time.time() - start_time
182184
print(f"Download completed in {download_time:.2f} seconds")
183185
@@ -197,7 +199,7 @@ jobs:
197199
download_path = f'/tmp/sftp_download/stress_test_{i}.dat'
198200
start_time = time.time()
199201
# Paramiko uses prefetch by default for get()
200-
sftp.get('/tmp/test_upload.dat', download_path)
202+
sftp.get(remote_path, download_path)
201203
elapsed = time.time() - start_time
202204
203205
# Verify integrity

.github/workflows/sftp-test.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -109,7 +109,6 @@ jobs:
109109
- name: Run SFTP test
110110
working-directory: ./wolfssh/
111111
run: |
112-
mkdir -p /tmp/sftp_test_dir
113112
# Create expect script to automate the SFTP client interaction
114113
cat > /tmp/sftp_test.exp << 'EOF'
115114
#!/usr/bin/expect -f
@@ -118,7 +117,7 @@ jobs:
118117
expect "Password:"
119118
send "upthehill\r"
120119
expect "wolfSSH sftp>"
121-
send "put /tmp/test.dat /tmp/sftp_test_dir/test_received.dat\r"
120+
send "put /tmp/test.dat test_received.dat\r"
122121
expect "wolfSSH sftp>"
123122
send "exit\r"
124123
expect eof
@@ -131,9 +130,9 @@ jobs:
131130
# Run the expect script
132131
/tmp/sftp_test.exp
133132
134-
# Verify the files match
133+
# Verify the files match (echoserver's CWD is ./wolfssh/)
135134
echo "Verifying file integrity..."
136-
if cmp -s /tmp/test.dat /tmp/sftp_test_dir/test_received.dat; then
135+
if cmp -s /tmp/test.dat test_received.dat; then
137136
echo "SFTP Test PASSED: Files match"
138137
else
139138
echo "SFTP Test FAILED: Files do not match"

apps/wolfsshd/test/sshd_large_sftp_test.sh

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,22 +16,37 @@ if [ -z "$1" ] || [ -z "$2" ]; then
1616
exit 1
1717
fi
1818

19+
# wolfSSHd confines SFTP access to the user's home directory, so the remote
20+
# file must live under it. Resolve the same home directory wolfSSHd uses
21+
# (the passwd entry), falling back to $HOME.
22+
HOME_DIR=`getent passwd "$USER" 2>/dev/null | cut -d: -f6`
23+
if [ -z "$HOME_DIR" ]; then
24+
HOME_DIR="$HOME"
25+
fi
26+
# Fail fast with a clear message rather than silently targeting "/" (which the
27+
# now-active SFTP confinement would reject with a non-obvious error) if neither
28+
# the passwd entry nor $HOME yields a usable home directory.
29+
if [ -z "$HOME_DIR" ] || [ "$HOME_DIR" = "/" ]; then
30+
echo "could not resolve a usable home directory for user '$USER'"
31+
exit 1
32+
fi
33+
REMOTE_FILE="$HOME_DIR/large-random-2.txt"
1934

2035
# create a large file with random data (larger than word32 max value)
2136
head -c 4400000010 < /dev/random > large-random.txt
2237

2338
set -e
24-
echo "$TEST_SFTP_CLIENT -u $USER -i $PRIVATE_KEY -j $PUBLIC_KEY -g -l large-random.txt -r `pwd`/large-random-2.txt -h \"$1\" -p \"$2\""
25-
$TEST_SFTP_CLIENT -u $USER -i $PRIVATE_KEY -j $PUBLIC_KEY -g -l large-random.txt -r `pwd`/large-random-2.txt -h "$1" -p "$2"
39+
echo "$TEST_SFTP_CLIENT -u $USER -i $PRIVATE_KEY -j $PUBLIC_KEY -g -l large-random.txt -r $REMOTE_FILE -h \"$1\" -p \"$2\""
40+
$TEST_SFTP_CLIENT -u $USER -i $PRIVATE_KEY -j $PUBLIC_KEY -g -l large-random.txt -r "$REMOTE_FILE" -h "$1" -p "$2"
2641

27-
cmp large-random.txt large-random-2.txt
42+
cmp large-random.txt "$REMOTE_FILE"
2843
RESULT=$?
2944
if [ "$RESULT" != "0" ]; then
3045
echo "files did not match when compared"
3146
exit 1
3247
fi
3348
rm -f large-random.txt
34-
rm -f large-random-2.txt
49+
rm -f "$REMOTE_FILE"
3550

3651
set +e
3752

0 commit comments

Comments
 (0)