fix: SftpUploader uses StrictHostKeyChecking=no — vulnerable to MITM #182
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
SftpUploader.php:210,238passes-o StrictHostKeyChecking=noto both scp and ssh commands. This disables SSH host key verification on every connection, making SFTP uploads vulnerable to man-in-the-middle attacks.Location
src/Engine/SftpUploader.php:210(buildScpCommand)src/Engine/SftpUploader.php:238(buildSshCommand)Fix
Change to
StrictHostKeyChecking=accept-new— trusts on first connect, rejects if the key changes. Optionally allow users to provide a known_hosts path in the profile config.Branch created:
feature/182-fix-sftpuploader-uses-stricthostkeycheck🔍 Deep-dive triage (code @ 02.56.05) — VALID.
src/Engine/SftpUploader.php:210(buildScpCommand) and:238(buildSshCommand) both hardcode-o StrictHostKeyChecking=no— host-key verification is disabled on every scp/ssh invocation (MITM on backup uploads: archive exfiltration/tampering + exposure of key/password auth to an impostor host).Severity: Medium.
Fix: switch both to
StrictHostKeyChecking=accept-new(TOFU); optionally support an operator-suppliedknown_hostspath in the remote params via-o UserKnownHostsFile=….Still present in 02.56.05 — keep open.
SftpUploader.php:210(buildScpCommand) and:238(buildSshCommand) both hardcode'-o', 'StrictHostKeyChecking=no', leaving uploads open to MITM. RecommendStrictHostKeyChecking=accept-newplus an optional profile-suppliedknown_hostspath.