feat: Implement command execution handler for server (#148)

* feat: Implement command execution handler for server

Implement the exec_request handler for bssh-server, enabling clients
to execute remote commands via SSH. Features include:

- CommandExecutor with configurable shell and timeout
- Stdout/stderr streaming to SSH channel
- Command allow/block list validation for security
- Exit code propagation to client
- Environment variable configuration (HOME, USER, SHELL, PATH)
- Working directory configuration
- Proper channel lifecycle (success, eof, close)

Closes #128

* security: Fix critical and high security issues in command execution

This commit addresses all CRITICAL and HIGH severity security
vulnerabilities identified in PR #148 code review.

CRITICAL Issues Fixed:
1. Command Injection via Blocklist Bypass
   - Implement normalized validation (lowercase, whitespace collapse)
   - Add regex-based pattern detection for variable expansion
   - Detect all shell metacharacters (;, &&, ||, |, $(), etc.)
   - Case-insensitive and normalized blocklist matching

2. Allowlist Validation Bypass
   - Detect and reject command chaining in allowlist mode
   - Change to exact match only (no prefix matching)
   - Prevent "ls; rm -rf /" style bypasses

3. Process Privilege Control
   - Add process group creation for better isolation
   - Document OS-level privilege control requirements
   - Use kill_on_drop for automatic cleanup

HIGH Issues Fixed:
4. Zombie Process Risk on Timeout
   - Create new process group with process_group(0)
   - Kill entire process group on timeout using kill(-pid, SIGKILL)
   - Implement fallback to immediate child kill

5. Resource Limits
   - Add documentation for OS-level resource limits
   - Recommend systemd service limits and ulimit configuration

6. Environment Variable Security
   - Block dangerous environment variables (LD_PRELOAD, LD_LIBRARY_PATH, etc.)
   - Add runtime filtering with warning logs
   - Prevent library injection and environment-based attacks

Implementation Details:
- Enhanced validation with multiple defense layers
- Comprehensive test suite with 17 passing tests
- Updated default blocklist to block command categories
- Added dangerous environment variable blocklist
- Process group management for Unix systems
- Updated dependencies: nix (process, signal features), libc

Breaking Changes:
- Default blocklist now blocks command names instead of full patterns
- Command chaining strictly blocked when allowlist is configured
- Case-insensitive command blocking (RM, Rm blocked along with rm)
- Dangerous environment variables are now filtered

Testing:
- All 17 exec module tests pass
- Comprehensive injection prevention tests added
- Blocklist normalization tests
- Allowlist bypass prevention tests
- Environment variable filtering tests

* chore: Fix formatting and dead code warning in exec handler

Apply cargo fmt formatting and add #[allow(dead_code)] for test helper

Author: inureyes

ARCHITECTURE.md

@@ -198,6 +198,7 @@ SSH server implementation using the russh library for accepting incoming connect
 - `config.rs` - `ServerConfig` with builder pattern for server settings
 - `handler.rs` - `SshHandler` implementing `russh::server::Handler` trait
 - `session.rs` - Session state management (`SessionManager`, `SessionInfo`, `ChannelState`)
+- `exec.rs` - Command execution for SSH exec requests
 - `auth/` - Authentication provider infrastructure
 
 **Key Components**:
@@ -213,12 +214,22 @@ SSH server implementation using the russh library for accepting incoming connect
   - Connection limits and timeouts
   - Authentication method toggles (password, publickey, keyboard-interactive)
   - Public key authentication configuration (authorized_keys location)
+  - Command execution configuration (shell, timeout, allowed/blocked commands)
 
 - **SshHandler**: Per-connection handler for SSH protocol events
   - Public key authentication via AuthProvider trait
   - Rate limiting for authentication attempts
   - Channel operations (open, close, EOF, data)
   - PTY, exec, shell, and subsystem request handling
+  - Command execution with stdout/stderr streaming
+
+- **CommandExecutor**: Executes commands requested by SSH clients
+  - Shell-based command execution with `-c` flag
+  - Environment variable configuration (HOME, USER, SHELL, PATH)
+  - Stdout/stderr streaming to SSH channel
+  - Command timeout with graceful process termination
+  - Command allow/block list validation for security
+  - Exit code propagation to client
 
 - **SessionManager**: Tracks active sessions with configurable capacity
   - Session creation and cleanup

Cargo.toml

@@ -43,7 +43,7 @@ regex = "1.12.2"
 lazy_static = "1.5"
 ctrlc = "3.5.1"
 signal-hook = "0.4.1"
-nix = { version = "0.30", features = ["poll"] }
+nix = { version = "0.30", features = ["poll", "process", "signal"] }
 atty = "0.2.14"
 arrayvec = "0.7.6"
 smallvec = "1.15.1"
@@ -52,10 +52,10 @@ uuid = { version = "1.19.0", features = ["v4"] }
 fastrand = "2.3.0"
 tokio-util = "0.7.17"
 shell-words = "1.1.1"
+libc = "0.2"
 
 [target.'cfg(target_os = "macos")'.dependencies]
 security-framework = "3.5.1"
-libc = "0.2"
 
 [dev-dependencies]
 tempfile = "3.23.0"

src/server/config.rs

@@ -23,6 +23,7 @@ use std::time::Duration;
 use serde::{Deserialize, Serialize};
 
 use super::auth::{AuthProvider, PublicKeyAuthConfig, PublicKeyVerifier};
+use super::exec::ExecConfig;
 
 /// Configuration for the SSH server.
 ///
@@ -72,6 +73,10 @@ pub struct ServerConfig {
     /// Configuration for public key authentication.
     #[serde(default)]
     pub publickey_auth: PublicKeyAuthConfigSerde,
+
+    /// Configuration for command execution.
+    #[serde(default)]
+    pub exec: ExecConfig,
 }
 
 /// Serializable configuration for public key authentication.
@@ -139,6 +144,7 @@ impl Default for ServerConfig {
             allow_keyboard_interactive: false,
             banner: None,
             publickey_auth: PublicKeyAuthConfigSerde::default(),
+            exec: ExecConfig::default(),
         }
     }
 }
@@ -282,6 +288,24 @@ impl ServerConfigBuilder {
         self
     }
 
+    /// Set the exec configuration.
+    pub fn exec(mut self, exec_config: ExecConfig) -> Self {
+        self.config.exec = exec_config;
+        self
+    }
+
+    /// Set the command execution timeout in seconds.
+    pub fn exec_timeout_secs(mut self, secs: u64) -> Self {
+        self.config.exec.timeout_secs = secs;
+        self
+    }
+
+    /// Set the default shell for command execution.
+    pub fn exec_shell(mut self, shell: impl Into<PathBuf>) -> Self {
+        self.config.exec.default_shell = shell.into();
+        self
+    }
+
     /// Build the ServerConfig.
     pub fn build(self) -> ServerConfig {
         self.config
@@ -413,4 +437,37 @@ mod tests {
         // Provider should be created successfully (verifies no panic)
         let _provider = config.create_auth_provider();
     }
+
+    #[test]
+    fn test_exec_config_default() {
+        let config = ServerConfig::default();
+        assert_eq!(config.exec.default_shell, PathBuf::from("/bin/sh"));
+        assert_eq!(config.exec.timeout_secs, 3600);
+    }
+
+    #[test]
+    fn test_builder_exec_config() {
+        let exec_config = ExecConfig::new()
+            .with_shell("/bin/bash")
+            .with_timeout_secs(1800);
+
+        let config = ServerConfig::builder().exec(exec_config).build();
+
+        assert_eq!(config.exec.default_shell, PathBuf::from("/bin/bash"));
+        assert_eq!(config.exec.timeout_secs, 1800);
+    }
+
+    #[test]
+    fn test_builder_exec_timeout() {
+        let config = ServerConfig::builder().exec_timeout_secs(600).build();
+
+        assert_eq!(config.exec.timeout_secs, 600);
+    }
+
+    #[test]
+    fn test_builder_exec_shell() {
+        let config = ServerConfig::builder().exec_shell("/bin/zsh").build();
+
+        assert_eq!(config.exec.default_shell, PathBuf::from("/bin/zsh"));
+    }
 }