[bot] AutoMerging: merge all upstream's changes:

* https://github.com/fatedier/frp:
  call config complete in nathole discover (fatedier#3813)
  Improve the strict configuration validation (fatedier#3809)
  add e2e tests for ssh tunnel (fatedier#3805)

.gitignore

@@ -33,6 +33,7 @@ lastversion/
 dist/
 .idea/
 .vscode/
+.autogen_ssh_key
 
 # Cache
 *.swp

Release.md

@@ -1,6 +1,6 @@
 ### Features
 
-* New command line parameter `--strict_config` is added to enable strict configuration validation mode. It will throw an error for non-existent fields instead of ignoring them. In future versions, we may set the default value of this parameter to true.
+* The new command line parameter `--strict_config` has been added to enable strict configuration validation mode. It will throw an error for unknown fields instead of ignoring them. In future versions, we will set the default value of this parameter to true to avoid misconfigurations.
 * Support `SSH reverse tunneling`. With this feature, you can expose your local service without running frpc, only using SSH. The SSH reverse tunnel agent has many functional limitations compared to the frpc agent. The currently supported proxy types are tcp, http, https, tcpmux, and stcp.
 * The frpc tcpmux command line parameters have been updated to support configuring `http_user` and `http_pwd`.
 * The frpc stcp/sudp/xtcp command line parameters have been updated to support configuring `allow_users`.

cmd/frpc/sub/nathole.go

@@ -51,6 +51,7 @@ var natholeDiscoveryCmd = &cobra.Command{
 		cfg, _, _, _, err := config.LoadClientConfig(cfgFile, strictConfigMode)
 		if err != nil {
 			cfg = &v1.ClientCommonConfig{}
+			cfg.Complete()
 		}
 		if natHoleSTUNServer != "" {
 			cfg.NatHoleSTUNServer = natHoleSTUNServer

pkg/config/load.go

@@ -110,8 +110,11 @@ func LoadConfigureFromFile(path string, c any, strict bool) error {
 
 // LoadConfigure loads configuration from bytes and unmarshal into c.
 // Now it supports json, yaml and toml format.
-// TODO(fatedier): strict is not valide for ProxyConfigurer/VisitorConfigurer/ClientPluginOptions.
 func LoadConfigure(b []byte, c any, strict bool) error {
+	v1.DisallowUnknownFieldsMu.Lock()
+	defer v1.DisallowUnknownFieldsMu.Unlock()
+	v1.DisallowUnknownFields = strict
+
 	var tomlObj interface{}
 	// Try to unmarshal as TOML first; swallow errors from that (assume it's not valid TOML).
 	if err := toml.Unmarshal(b, &tomlObj); err == nil {

pkg/config/load_test.go

@@ -111,3 +111,56 @@ func TestLoadServerConfigStrictMode(t *testing.T) {
 		}
 	}
 }
+
+func TestCustomStructStrictMode(t *testing.T) {
+	require := require.New(t)
+
+	proxyStr := `
+serverPort = 7000
+
+[[proxies]]
+name = "test"
+type = "tcp"
+remotePort = 6000
+`
+	clientCfg := v1.ClientConfig{}
+	err := LoadConfigure([]byte(proxyStr), &clientCfg, true)
+	require.NoError(err)
+
+	proxyStr += `unknown = "unknown"`
+	err = LoadConfigure([]byte(proxyStr), &clientCfg, true)
+	require.Error(err)
+
+	visitorStr := `
+serverPort = 7000
+
+[[visitors]]
+name = "test"
+type = "stcp"
+bindPort = 6000
+serverName = "server"
+`
+	err = LoadConfigure([]byte(visitorStr), &clientCfg, true)
+	require.NoError(err)
+
+	visitorStr += `unknown = "unknown"`
+	err = LoadConfigure([]byte(visitorStr), &clientCfg, true)
+	require.Error(err)
+
+	pluginStr := `
+serverPort = 7000
+
+[[proxies]]
+name = "test"
+type = "tcp"
+remotePort = 6000
+[proxies.plugin]
+type = "unix_domain_socket"
+unixPath = "/tmp/uds.sock"
+`
+	err = LoadConfigure([]byte(pluginStr), &clientCfg, true)
+	require.NoError(err)
+	pluginStr += `unknown = "unknown"`
+	err = LoadConfigure([]byte(pluginStr), &clientCfg, true)
+	require.Error(err)
+}

pkg/config/v1/common.go

@@ -15,9 +15,23 @@
 package v1
 
 import (
+	"sync"
+
 	"github.com/fatedier/frp/pkg/util/util"
 )
 
+// TODO(fatedier): Due to the current implementation issue of the go json library, the UnmarshalJSON method
+// of a custom struct cannot access the DisallowUnknownFields parameter of the parent decoder.
+// Here, a global variable is temporarily used to control whether unknown fields are allowed.
+// Once the v2 version is implemented by the community, we can switch to a standardized approach.
+//
+// https://github.com/golang/go/issues/41144
+// https://github.com/golang/go/discussions/63397
+var (
+	DisallowUnknownFields   = false
+	DisallowUnknownFieldsMu sync.Mutex
+)
+
 type AuthScope string
 
 const (

pkg/config/v1/plugin.go

@@ -15,6 +15,7 @@
 package v1
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"reflect"
@@ -49,7 +50,13 @@ func (c *TypedClientPluginOptions) UnmarshalJSON(b []byte) error {
 		return fmt.Errorf("unknown plugin type: %s", typeStruct.Type)
 	}
 	options := reflect.New(v).Interface().(ClientPluginOptions)
-	if err := json.Unmarshal(b, options); err != nil {
+
+	decoder := json.NewDecoder(bytes.NewBuffer(b))
+	if DisallowUnknownFields {
+		decoder.DisallowUnknownFields()
+	}
+
+	if err := decoder.Decode(options); err != nil {
 		return err
 	}
 	c.ClientPluginOptions = options
@@ -77,17 +84,20 @@ var clientPluginOptionsTypeMap = map[string]reflect.Type{
 }
 
 type HTTP2HTTPSPluginOptions struct {
+	Type              string           `json:"type,omitempty"`
 	LocalAddr         string           `json:"localAddr,omitempty"`
 	HostHeaderRewrite string           `json:"hostHeaderRewrite,omitempty"`
 	RequestHeaders    HeaderOperations `json:"requestHeaders,omitempty"`
 }
 
 type HTTPProxyPluginOptions struct {
+	Type         string `json:"type,omitempty"`
 	HTTPUser     string `json:"httpUser,omitempty"`
 	HTTPPassword string `json:"httpPassword,omitempty"`
 }
 
 type HTTPS2HTTPPluginOptions struct {
+	Type              string           `json:"type,omitempty"`
 	LocalAddr         string           `json:"localAddr,omitempty"`
 	HostHeaderRewrite string           `json:"hostHeaderRewrite,omitempty"`
 	RequestHeaders    HeaderOperations `json:"requestHeaders,omitempty"`
@@ -96,6 +106,7 @@ type HTTPS2HTTPPluginOptions struct {
 }
 
 type HTTPS2HTTPSPluginOptions struct {
+	Type              string           `json:"type,omitempty"`
 	LocalAddr         string           `json:"localAddr,omitempty"`
 	HostHeaderRewrite string           `json:"hostHeaderRewrite,omitempty"`
 	RequestHeaders    HeaderOperations `json:"requestHeaders,omitempty"`
@@ -104,17 +115,20 @@ type HTTPS2HTTPSPluginOptions struct {
 }
 
 type Socks5PluginOptions struct {
+	Type     string `json:"type,omitempty"`
 	Username string `json:"username,omitempty"`
 	Password string `json:"password,omitempty"`
 }
 
 type StaticFilePluginOptions struct {
+	Type         string `json:"type,omitempty"`
 	LocalPath    string `json:"localPath,omitempty"`
 	StripPrefix  string `json:"stripPrefix,omitempty"`
 	HTTPUser     string `json:"httpUser,omitempty"`
 	HTTPPassword string `json:"httpPassword,omitempty"`
 }
 
 type UnixDomainSocketPluginOptions struct {
+	Type     string `json:"type,omitempty"`
 	UnixPath string `json:"unixPath,omitempty"`
 }

pkg/config/v1/proxy.go

@@ -15,6 +15,7 @@
 package v1
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -177,7 +178,11 @@ func (c *TypedProxyConfig) UnmarshalJSON(b []byte) error {
 	if configurer == nil {
 		return fmt.Errorf("unknown proxy type: %s", typeStruct.Type)
 	}
-	if err := json.Unmarshal(b, configurer); err != nil {
+	decoder := json.NewDecoder(bytes.NewBuffer(b))
+	if DisallowUnknownFields {
+		decoder.DisallowUnknownFields()
+	}
+	if err := decoder.Decode(configurer); err != nil {
 		return err
 	}
 	c.ProxyConfigurer = configurer

pkg/config/v1/visitor.go

@@ -15,6 +15,7 @@
 package v1
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -108,7 +109,11 @@ func (c *TypedVisitorConfig) UnmarshalJSON(b []byte) error {
 	if configurer == nil {
 		return fmt.Errorf("unknown visitor type: %s", typeStruct.Type)
 	}
-	if err := json.Unmarshal(b, configurer); err != nil {
+	decoder := json.NewDecoder(bytes.NewBuffer(b))
+	if DisallowUnknownFields {
+		decoder.DisallowUnknownFields()
+	}
+	if err := decoder.Decode(configurer); err != nil {
 		return err
 	}
 	c.VisitorConfigurer = configurer
@@ -120,7 +125,9 @@ func NewVisitorConfigurerByType(t VisitorType) VisitorConfigurer {
 	if !ok {
 		return nil
 	}
-	return reflect.New(v).Interface().(VisitorConfigurer)
+	vc := reflect.New(v).Interface().(VisitorConfigurer)
+	vc.GetBaseConfig().Type = string(t)
+	return vc
 }
 
 var _ VisitorConfigurer = &STCPVisitorConfig{}

pkg/ssh/server.go

@@ -56,8 +56,6 @@ type forwardedTCPPayload struct {
 	Addr string
 	Port uint32
 
-	// can be default empty value but do not delete it
-	// because ssh protocol shoule be reserved
 	OriginAddr string
 	OriginPort uint32
 }
@@ -117,6 +115,8 @@ func (s *TunnelServer) Run() error {
 			// join workConn and ssh channel
 			c, err := s.openConn(addr)
 			if err != nil {
+				log.Trace("open conn error: %v", err)
+				workConn.Close()
 				return false
 			}
 			libio.Join(c, workConn)
@@ -180,20 +180,16 @@ func (s *TunnelServer) waitForwardAddrAndExtraPayload(
 	go func() {
 		addrGot := false
 		for req := range requests {
-			switch req.Type {
-			case RequestTypeForward:
-				if !addrGot {
-					payload := tcpipForward{}
-					if err := ssh.Unmarshal(req.Payload, &payload); err != nil {
-						return
-					}
-					addrGot = true
-					addrCh <- &payload
-				}
-			default:
-				if req.WantReply {
-					_ = req.Reply(true, nil)
+			if req.Type == RequestTypeForward && !addrGot {
+				payload := tcpipForward{}
+				if err := ssh.Unmarshal(req.Payload, &payload); err != nil {
+					return
 				}
+				addrGot = true
+				addrCh <- &payload
+			}
+			if req.WantReply {
+				_ = req.Reply(true, nil)
 			}
 		}
 	}()
@@ -271,10 +267,10 @@ func (s *TunnelServer) handleNewChannel(channel ssh.NewChannel, extraPayloadCh c
 	go s.keepAlive(ch)
 
 	for req := range reqs {
-		if req.Type != "exec" {
-			continue
+		if req.WantReply {
+			_ = req.Reply(true, nil)
 		}
-		if len(req.Payload) <= 4 {
+		if req.Type != "exec" || len(req.Payload) <= 4 {
 			continue
 		}
 		end := 4 + binary.BigEndian.Uint32(req.Payload[:4])
@@ -310,6 +306,9 @@ func (s *TunnelServer) openConn(addr *tcpipForward) (net.Conn, error) {
 	payload := forwardedTCPPayload{
 		Addr: addr.Host,
 		Port: addr.Port,
+		// Note: Here is just for compatibility, not the real source address.
+		OriginAddr: addr.Host,
+		OriginPort: addr.Port,
 	}
 	channel, reqs, err := s.sshConn.OpenChannel(ChannelTypeServerOpenChannel, ssh.Marshal(&payload))
 	if err != nil {