An RCE Security vulnerability

[glzjin]

In this file https://github.com/liftoff/GateOne/blob/master/gateone/applications/terminal/plugins/ssh/ssh.py#L586

There is a command execution and the argument comes from user input.

Poc:

1. Deploy a GateOne instance.

#703

2. Open the dev tool in your browser, open the GateOne page.

3. Try to create an ssh connection. And watch the WebSocket traffic, wait for the 'terminal:ssh_get_host_fingerprint' command executes.

4. Now we can switch the dev tool to console, and input this JavaScript script to let GateOne WebSocket send Our evil command. We can see that we get the command execution result from the error message.

GateOne.ws.send('{"terminal:ssh_get_host_fingerprint":{"host":"node1.buuoj.cn","port":"28030;cat /etc/passwd;"}}')

[neingeist]

shouldn't this be addressed?