mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
e35f0f70e9
* security: block SSRF and enforce global auth on sidecar endpoints Addresses trust boundary vulnerabilities in the desktop sidecar's locally-exposed API server (127.0.0.1:46123) reported in "Breaking the Trust Boundary in a 14k Star OSINT Dashboard": - SSRF protection on /api/rss-proxy: block private/reserved IPs (127.x, 10.x, 172.16-31.x, 192.168.x, 169.254.x, multicast), validate DNS resolution to prevent rebinding, reject non-http(s) protocols and URLs with embedded credentials - Global auth gate: move LOCAL_API_TOKEN check above ALL endpoints so /api/rss-proxy, /api/local-status, /api/local-traffic-log, /api/local-debug-toggle, and /api/register-interest now require authentication (only /api/service-status health check is exempt) - Cryptographic token generation: replace RandomState-based token in main.rs with getrandom crate (OS-backed CSPRNG, 32 bytes) - Traffic log privacy: strip query strings from logged paths to prevent leaking feed URLs and user research patterns - CORS hardening: tighten worldmonitor.app origin regex from (.*\.)? to ([a-z0-9-]+\.)? to block multi-level subdomain spoofing - 10 new security tests covering auth enforcement on every endpoint, SSRF blocking for private IPs/localhost/non-http/credentials, health check exemption, and traffic log sanitization https://claude.ai/code/session_018vNVfwPh25tbZmtiX66KxP * security: pin resolved IP in rss-proxy to close TOCTOU DNS rebinding window isSafeUrl() now returns the resolved addresses, and fetchWithTimeout() accepts a resolvedAddress option that bypasses runtime DNS via a custom lookup callback (HTTPS) or URL rewrite with Host header (HTTP). The rss-proxy handler threads the first validated IPv4 through, so the TCP connection is guaranteed to reach the same IP that passed the private-range check. https://claude.ai/code/session_018vNVfwPh25tbZmtiX66KxP --------- Co-authored-by: Claude <noreply@anthropic.com>