auto update script executed

main.go

@@ -27,6 +27,7 @@ import (
 // General flags
 var noauth = flag.Bool("noauth", false, "Disable authentication for management interface")
 var showver = flag.Bool("version", false, "Show version of this server")
+var allowSshLoopback = flag.Bool("sshlb", false, "Allow loopback web ssh connection (DANGER)")
 
 var (
 	name     = "Zoraxy"

web/tools/sshconn.html

@@ -56,7 +56,9 @@
                         </div>
                     </div>
                 </div>
+                <div id="ui error message">
 
+                </div>
 
                 <div style="float: right;">
                     <button class="ui basic button"  onclick="connectSSH()"><i class="ui blue exchange icon"></i> Connect</button>
@@ -170,6 +172,11 @@
 
 
             function isValidServerNameOrIPAddress(str) {
+                //Do not allow loopback
+                if (str == "localhost" || str == "127.0.0.1"){
+                    return false;
+                }
+                
                 // First, check if the string is a valid IP address
                 const ipAddressRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
                 if (ipAddressRegex.test(str)) {
@@ -182,6 +189,8 @@
                     return true;
                 }
 
+                
+
                 // If the string is neither an IP address nor a server name, return false
                 return false;
             }

webssh.go

@@ -41,6 +41,15 @@ func HandleCreateProxySession(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !*allowSshLoopback {
+		//Not allow loopback connections
+		if strings.EqualFold(strings.TrimSpace(ipaddr), "localhost") || strings.TrimSpace(ipaddr) == "127.0.0.1" {
+			//Request target is loopback
+			utils.SendErrorResponse(w, "loopback web ssh connection is not enabled on this host")
+			return
+		}
+	}
+
 	//Check if the target is a valid ssh endpoint
 	if !sshprox.IsSSHConnectable(ipaddr, port) {
 		utils.SendErrorResponse(w, ipaddr+":"+strconv.Itoa(port)+" is not a valid SSH server")