Web security hardening (#4830)

* security hardening

* fix some issues

* rustfmt

* add pr

Author: imsnif

CHANGELOG.md

@@ -10,7 +10,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 * fix: make sessions compatible across versions (https://github.com/zellij-org/zellij/pull/4439)
 * fix: occasional status-bar pop-out after resurrecting a session (https://github.com/zellij-org/zellij/pull/4440)
 * fix: properly serialize/resurrect layouts with one-line split panes (https://github.com/zellij-org/zellij/pull/4442)
-* feat: allow attaching to remote Zellij sessions over https (eg. `zellij attach https://example.com/my-cool-session`) (https://github.com/zellij-org/zellij/pull/4460)
+* feat: allow attaching to remote Zellij sessions over https (eg. `zellij attach https://example.com/my-cool-session`) (https://github.com/zellij-org/zellij/pull/4460 and https://github.com/zellij-org/zellij/pull/4830)
 * build: Update Rust toolchain to 1.90.0 (https://github.com/zellij-org/zellij/pull/4457)
 * feat: allow plugins to read pane scrollback (https://github.com/zellij-org/zellij/pull/4465)
 * infra: migrate wasm runtime from wasmtime to wasmi (https://github.com/zellij-org/zellij/pull/4449)

Cargo.lock

@@ -247,7 +247,7 @@ pub(crate) fn create_auth_token(name: Option<String>, read_only: bool) -> Result
     create_token(name, read_only)
         .map(|(token, token_name)| {
             let access_type = if read_only { " (read-only)" } else { "" };
-            format!("{}: {}{}", token, token_name, access_type)
+            format!("{}: {}{}", token_name, token, access_type)
         })
         .map_err(|e| e.to_string())
 }
@@ -716,6 +716,8 @@ pub(crate) fn start_client(opts: CliArgs) {
                     token: None,
                     remember: false,
                     forget: false,
+                    ca_cert: None,
+                    insecure: false,
                 }));
             } else {
                 opts.command = None;
@@ -748,6 +750,8 @@ pub(crate) fn start_client(opts: CliArgs) {
             token,
             remember,
             forget,
+            ca_cert,
+            insecure,
         })) = opts.command.clone()
         {
             if let Some(remote_session_url) = session_name.as_ref().and_then(|s| {
@@ -774,6 +778,8 @@ pub(crate) fn start_client(opts: CliArgs) {
                     token,
                     remember,
                     forget,
+                    ca_cert,
+                    insecure,
                     config_options.client_async_worker_tasks,
                 ) {
                     eprintln!("{}", e);

src/commands.rs

@@ -40,6 +40,7 @@ tokio = { workspace = true }
 tokio-util = { workspace = true }
 isahc = { workspace = true }
 tokio-tungstenite = { version = "0.20", features = ["native-tls"] } #TODO: see about this native-tls...
+native-tls = "0.2"
 futures-util = "0.3"
 urlencoding = "2.1"
 

zellij-client/Cargo.toml

@@ -96,7 +96,7 @@ export async function getClientId(token, rememberMe, hasAuthenticationCookie) {
 export async function initAuthentication() {
     let token = null;
     let remember = null;
-    let hasAuthenticationCookie = window.is_authenticated;
+    let hasAuthenticationCookie = document.body.dataset.authenticated === "true";
 
     if (!hasAuthenticationCookie) {
         const tokenResult = await waitForSecurityToken();

zellij-client/assets/auth.js

@@ -20,11 +20,8 @@
         <meta name="viewport" content="width=device-width, initial-scale=1.0" />
         <title>Zellij Web Client</title>
     </head>
-    <body>
+    <body data-authenticated="IS_AUTHENTICATED">
         <div id="terminal" tabindex="0"></div>
-        <script>
-            window.is_authenticated = IS_AUTHENTICATED;
-        </script>
         <script src="assets/modals.js"></script>
         <!-- Module files - order matters -->
         <script type="module" src="assets/utils.js"></script>

zellij-client/assets/index.html

@@ -411,19 +411,36 @@ function showErrorModal(title, description) {
     const modal = document.createElement('div');
     modal.className = 'security-modal error';
 
-    modal.innerHTML = `
-      <div class="security-modal-content">
-        <h3>${title}</h3>
-        <div class="error-description">${description}</div>
-        <div class="button-row">
-          <button id="dismiss" class="dismiss-btn">Acknowledge</button>
-        </div>
-        <div class="status-bar"></div>
-      </div>
-    `;
+    const content = document.createElement('div');
+    content.className = 'security-modal-content';
+
+    const h3 = document.createElement('h3');
+    h3.textContent = title;
+    content.appendChild(h3);
+
+    const desc = document.createElement('div');
+    desc.className = 'error-description';
+    desc.textContent = description;
+    content.appendChild(desc);
+
+    const buttonRow = document.createElement('div');
+    buttonRow.className = 'button-row';
+
+    const dismissBtn = document.createElement('button');
+    dismissBtn.id = 'dismiss';
+    dismissBtn.className = 'dismiss-btn';
+    dismissBtn.textContent = 'Acknowledge';
+    buttonRow.appendChild(dismissBtn);
+    content.appendChild(buttonRow);
+
+    const statusBar = document.createElement('div');
+    statusBar.className = 'status-bar';
+    content.appendChild(statusBar);
+
+    modal.appendChild(content);
 
     document.body.appendChild(modal);
-    modal.querySelector('#dismiss').focus();
+    dismissBtn.focus();
 
     const handleKeydown = (e) => {
       if (e.key === 'Enter' || e.key === 'Escape') {
@@ -440,7 +457,7 @@ function showErrorModal(title, description) {
       resolve();
     };
 
-    modal.querySelector('#dismiss').onclick = cleanup;
+    dismissBtn.onclick = cleanup;
 
     modal.onclick = (e) => {
       if (e.target === modal) {
@@ -459,25 +476,65 @@ function showReconnectionModal(attemptNumber, delaySeconds) {
     modal.style.background = 'rgba(28, 28, 28, 0.85)'; // More transparent to show terminal
 
     const isFirstAttempt = attemptNumber === 1;
-    const title = isFirstAttempt ? 'Connection Lost' : 'Reconnection Failed';
-    const message = isFirstAttempt 
-      ? `Reconnecting in <span id="countdown">${delaySeconds}</span> second${delaySeconds > 1 ? 's' : ''}...`
-      : `Retrying in <span id="countdown">${delaySeconds}</span> second${delaySeconds > 1 ? 's' : ''}... (Attempt ${attemptNumber})`;
-    
-    modal.innerHTML = `
-      <div class="security-modal-content">
-        <h3 id="modal-title">${title}</h3>
-        <div class="error-description" id="modal-message">${message}</div>
-        <div class="button-row" id="button-row">
-          <button id="cancel" class="cancel-btn">Cancel</button>
-          <button id="reconnect" class="submit-btn">Reconnect Now</button>
-        </div>
-        <div class="status-bar"></div>
-      </div>
-    `;
+    const titleText = isFirstAttempt ? 'Connection Lost' : 'Reconnection Failed';
+
+    const contentDiv = document.createElement('div');
+    contentDiv.className = 'security-modal-content';
+
+    const titleEl = document.createElement('h3');
+    titleEl.id = 'modal-title';
+    titleEl.textContent = titleText;
+    contentDiv.appendChild(titleEl);
+
+    const messageEl = document.createElement('div');
+    messageEl.className = 'error-description';
+    messageEl.id = 'modal-message';
+
+    if (isFirstAttempt) {
+        messageEl.appendChild(document.createTextNode('Reconnecting in '));
+        const countdown = document.createElement('span');
+        countdown.id = 'countdown';
+        countdown.textContent = delaySeconds;
+        messageEl.appendChild(countdown);
+        messageEl.appendChild(document.createTextNode(delaySeconds > 1 ? ' seconds...' : ' second...'));
+    } else {
+        messageEl.appendChild(document.createTextNode('Retrying in '));
+        const countdown = document.createElement('span');
+        countdown.id = 'countdown';
+        countdown.textContent = delaySeconds;
+        messageEl.appendChild(countdown);
+        messageEl.appendChild(document.createTextNode(
+            (delaySeconds > 1 ? ' seconds' : ' second') + '... (Attempt ' + attemptNumber + ')'
+        ));
+    }
+    contentDiv.appendChild(messageEl);
+
+    const buttonRowEl = document.createElement('div');
+    buttonRowEl.className = 'button-row';
+    buttonRowEl.id = 'button-row';
+
+    const cancelBtn = document.createElement('button');
+    cancelBtn.id = 'cancel';
+    cancelBtn.className = 'cancel-btn';
+    cancelBtn.textContent = 'Cancel';
+    buttonRowEl.appendChild(cancelBtn);
+
+    const reconnectBtn = document.createElement('button');
+    reconnectBtn.id = 'reconnect';
+    reconnectBtn.className = 'submit-btn';
+    reconnectBtn.textContent = 'Reconnect Now';
+    buttonRowEl.appendChild(reconnectBtn);
+
+    contentDiv.appendChild(buttonRowEl);
+
+    const statusBarEl = document.createElement('div');
+    statusBarEl.className = 'status-bar';
+    contentDiv.appendChild(statusBarEl);
+
+    modal.appendChild(contentDiv);
 
     document.body.appendChild(modal);
-    modal.querySelector('#reconnect').focus();
+    reconnectBtn.focus();
 
     let countdownInterval;
     let remainingSeconds = delaySeconds;
@@ -503,7 +560,7 @@ function showReconnectionModal(attemptNumber, delaySeconds) {
       }
 
       const messageElement = modal.querySelector('#modal-message');
-      messageElement.innerHTML = 'Connecting...';
+      messageElement.textContent = 'Connecting...';
     };
 
     countdownInterval = setInterval(updateCountdown, 1000);

zellij-client/assets/modals.js

@@ -535,6 +535,8 @@ pub fn start_remote_client(
     token: Option<String>,
     remember: bool,
     forget: bool,
+    ca_cert: Option<std::path::PathBuf>,
+    insecure: bool,
     async_worker_tasks: Option<usize>,
 ) -> Result<Option<ConnectToSession>, RemoteClientError> {
     info!("Starting Zellij client!");
@@ -548,6 +550,8 @@ pub fn start_remote_client(
         token,
         remember,
         forget,
+        ca_cert.as_deref(),
+        insecure,
     )?;
 
     let reconnect_to_session = None;

zellij-client/src/lib.rs

@@ -19,9 +19,11 @@ pub async fn authenticate(
     server_base_url: &str,
     auth_token: &str,
     remember_me: bool,
+    ca_cert: Option<&std::path::Path>,
+    insecure: bool,
 ) -> Result<(String, HttpClientWithCookies, Option<String>), RemoteClientError> {
-    let http_client =
-        HttpClientWithCookies::new().map_err(|e| RemoteClientError::Other(Box::new(e)))?;
+    let http_client = HttpClientWithCookies::new(ca_cert, insecure)
+        .map_err(|e| RemoteClientError::Other(Box::new(e)))?;
 
     // Step 1: Login with auth token
     let login_url = format!("{}{}", server_base_url, LOGIN_ENDPOINT);
@@ -105,9 +107,11 @@ pub async fn authenticate(
 pub async fn validate_session_token(
     server_base_url: &str,
     session_token: &str,
+    ca_cert: Option<&std::path::Path>,
+    insecure: bool,
 ) -> Result<(String, HttpClientWithCookies), RemoteClientError> {
-    let http_client =
-        HttpClientWithCookies::new().map_err(|e| RemoteClientError::Other(Box::new(e)))?;
+    let http_client = HttpClientWithCookies::new(ca_cert, insecure)
+        .map_err(|e| RemoteClientError::Other(Box::new(e)))?;
 
     // Pre-populate the session_token cookie
     http_client.set_cookie("session_token".to_string(), session_token.to_string());

zellij-client/src/remote_attach/auth.rs

@@ -2,14 +2,30 @@ use super::config::connection_timeout;
 use isahc::prelude::*;
 use isahc::{config::RedirectPolicy, AsyncBody, HttpClient, Request, Response};
 use std::collections::HashMap;
+use std::path::Path;
 use std::sync::{Arc, Mutex};
 
-pub fn create_http_client() -> Result<HttpClient, isahc::Error> {
-    HttpClient::builder()
+pub fn create_http_client(
+    ca_cert: Option<&Path>,
+    insecure: bool,
+) -> Result<HttpClient, isahc::Error> {
+    let mut builder = HttpClient::builder()
         .redirect_policy(RedirectPolicy::Follow)
-        .ssl_options(isahc::config::SslOption::DANGER_ACCEPT_INVALID_CERTS)
-        .timeout(connection_timeout())
-        .build()
+        .timeout(connection_timeout());
+
+    if insecure {
+        eprintln!(
+            "WARNING: TLS certificate validation is disabled. This connection is NOT secure."
+        );
+        builder = builder.ssl_options(
+            isahc::config::SslOption::DANGER_ACCEPT_INVALID_CERTS
+                | isahc::config::SslOption::DANGER_ACCEPT_INVALID_HOSTS,
+        );
+    } else if let Some(ca_path) = ca_cert {
+        builder = builder.ssl_ca_certificate(isahc::config::CaCertificate::file(ca_path));
+    }
+
+    builder.build()
 }
 
 pub struct HttpClientWithCookies {
@@ -18,9 +34,9 @@ pub struct HttpClientWithCookies {
 }
 
 impl HttpClientWithCookies {
-    pub fn new() -> Result<Self, isahc::Error> {
+    pub fn new(ca_cert: Option<&Path>, insecure: bool) -> Result<Self, isahc::Error> {
         Ok(Self {
-            client: create_http_client()?,
+            client: create_http_client(ca_cert, insecure)?,
             cookies: Arc::new(Mutex::new(HashMap::new())),
         })
     }