Skip to content

fix: harden dynamic forwarding, ssh-agent, and EC key parsing#175

Merged
vicajilau merged 2 commits into
TerminalStudio:masterfrom
lollipopkit:upstream/dynamic-forward-agent-ec-key
Jul 1, 2026
Merged

fix: harden dynamic forwarding, ssh-agent, and EC key parsing#175
vicajilau merged 2 commits into
TerminalStudio:masterfrom
lollipopkit:upstream/dynamic-forward-agent-ec-key

Conversation

@GT-610

@GT-610 GT-610 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR contains three small hardening fixes from ServerBox's fork, kept together:

Dynamic SOCKS forwarding

  • Preserve half-close semantics while streaming:
    • client EOF closes the remote sink
    • remote EOF destroys the local socket
    • EOF before streaming still closes the SOCKS connection
  • Guard against concurrent dial attempts for the same SOCKS request.
  • Cancel the handshake timer before dialing and clean up a tunnel if the connection was closed while the dial was in flight.
  • Decode SOCKS domain names with allowMalformed: true so malformed UTF-8 cannot crash request parsing.
  • Cap SOCKS handshake buffering at 32 KiB to avoid unbounded memory growth.

SSH agent

  • Validate that fallback RSA signing produces an SSHRsaSignature with the requested signature type.
  • Reject zero-length and oversized agent frames (256 KiB max) to avoid malformed/unbounded frames.

EC private key parsing

  • Parse EC PRIVATE KEY curve OIDs when present.
  • Validate embedded EC public points by deriving the expected public key from the private scalar.
  • Preserve UnsupportedError for unsupported key types/curves instead of wrapping it as SSHKeyDecodeError.
  • Decode OpenSSH key comments with allowMalformed: true to tolerate malformed comments.

Test plan

  • dart test test/src/socket/dynamic_forward_io_test.dart
  • dart test test/src/ssh_agent_test.dart
  • dart test test/src/ssh_key_pair_test.dart test/src/ssh_pem_test.dart
  • dart test test/src/socket/dynamic_forward_io_test.dart test/src/ssh_agent_test.dart test/src/ssh_key_pair_test.dart test/src/ssh_pem_test.dart (50 tests)
  • dart analyze lib/src/dynamic_forward_io.dart lib/src/ssh_agent.dart lib/src/ssh_key_pair.dart test/src/socket/dynamic_forward_io_test.dart test/src/ssh_agent_test.dart

GT-610 added 2 commits July 1, 2026 10:39
Dynamic SOCKS forwarding:
- Preserve half-close semantics while streaming: client EOF closes the remote
  sink and remote EOF destroys the local socket instead of treating EOF as a
  full connection close immediately.
- Guard against concurrent dial attempts for the same SOCKS request.
- Cancel the handshake timer before dialing and clean up a tunnel if the
  connection was closed while dial was in flight.
- Tolerate malformed UTF-8 domain names in SOCKS requests and cap handshake
  buffering at 32 KiB.

SSH agent:
- Validate that fallback RSA signing produces an SSHRsaSignature with the
  requested signature type.
- Reject zero-length and oversized agent frames to avoid unbounded buffering.

EC private keys:
- Parse EC PRIVATE KEY curve OIDs when present.
- Validate embedded EC public points by deriving the expected public key from
  the private scalar.
- Preserve UnsupportedError for unsupported key types/curves instead of wrapping
  it as SSHKeyDecodeError.
- Decode OpenSSH key comments with allowMalformed to tolerate malformed comments.

Adds protocol tests for the dynamic forward hardening and ssh-agent frame size
checks.
@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 69.11765% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.59%. Comparing base (43a8980) to head (4e707e1).

Files with missing lines Patch % Lines
lib/src/ssh_key_pair.dart 56.00% 11 Missing ⚠️
lib/src/ssh_agent.dart 41.66% 7 Missing ⚠️
lib/src/dynamic_forward_io.dart 90.32% 3 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #175      +/-   ##
==========================================
+ Coverage   54.52%   54.59%   +0.06%     
==========================================
  Files          66       66              
  Lines        5357     5409      +52     
==========================================
+ Hits         2921     2953      +32     
- Misses       2436     2456      +20     
Flag Coverage Δ
unittests 54.59% <69.11%> (+0.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
lib/src/dynamic_forward_io.dart 95.40% <90.32%> (-1.31%) ⬇️
lib/src/ssh_agent.dart 85.24% <41.66%> (-3.95%) ⬇️
lib/src/ssh_key_pair.dart 77.41% <56.00%> (-1.91%) ⬇️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@vicajilau vicajilau merged commit ab12899 into TerminalStudio:master Jul 1, 2026
3 checks passed
@GT-610 GT-610 deleted the upstream/dynamic-forward-agent-ec-key branch July 1, 2026 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants