Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(actions): ssh channel pins known_hosts beside key (no HOME dependency)

Browse Source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
root
2026-06-04 22:00:52 +10:00
parent 169e3b6d5c
commit cea2442c4f
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/actions/channels/ssh.js
View File

@@ -1,4 +1,5 @@
import { spawn as nodeSpawn } from 'node:child_process'; import { spawn as nodeSpawn } from 'node:child_process';
import { dirname, join } from 'node:path';
const ID_RE = /^[a-z0-9-]+$/; const ID_RE = /^[a-z0-9-]+$/;
@@ -11,8 +12,11 @@ export function restartService({ ip, actionId }, {
spawnImpl = nodeSpawn spawnImpl = nodeSpawn
} = {}) { } = {}) {
if (!ID_RE.test(actionId || '')) return Promise.reject(new Error(`invalid action id: ${actionId}`)); if (!ID_RE.test(actionId || '')) return Promise.reject(new Error(`invalid action id: ${actionId}`));
// Pin known_hosts beside the key (writable, void-owned) so the channel doesn't
// depend on the service's HOME for ~/.ssh.
const knownHosts = join(dirname(keyPath), 'known_hosts');
const args = ['-i', keyPath, '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new', const args = ['-i', keyPath, '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new',
`${user}@${ip}`, actionId]; '-o', `UserKnownHostsFile=${knownHosts}`, `${user}@${ip}`, actionId];
return new Promise((resolve, reject) => { return new Promise((resolve, reject) => {
const child = spawnImpl('ssh', args); const child = spawnImpl('ssh', args);
let out = '', err = ''; let out = '', err = '';

2
tests/actions/ssh.test.js
View File

@@ -15,7 +15,7 @@ describe('ssh channel', () => {
const { cmd, args } = calls[0]; const { cmd, args } = calls[0];
expect(cmd).toBe('ssh'); expect(cmd).toBe('ssh');
expect(args).toEqual(['-i', '/k', '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new', expect(args).toEqual(['-i', '/k', '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=accept-new',
'voidact@192.168.1.230', 'restart-caddy-ct100']); '-o', 'UserKnownHostsFile=/known_hosts', 'voidact@192.168.1.230', 'restart-caddy-ct100']);
}); });
it('rejects an action id with shell metacharacters', async () => { it('rejects an action id with shell metacharacters', async () => {
await expect(restartService({ ip: '1.2.3.4', actionId: 'x; rm -rf /' }, { spawnImpl: () => {} })) await expect(restartService({ ip: '1.2.3.4', actionId: 'x; rm -rf /' }, { spawnImpl: () => {} }))