paulh
/
recipe-manager
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security(harness): restrict /api/harness/* routes to localhost only 

Add requireLocalhost middleware that returns 403 for non-localhost requests (127.0.0.1/::1 only). Prevents external access to diagnostic endpoints.
This commit is contained in:
Paul Huliganga 2026-03-30 09:56:25 -04:00
parent 597e5c94c8
commit 2af1459d25
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/backend/routes/harness.ts
View File

@ -28,6 +28,17 @@ type GitCommitSummary = {
relative: string; relative: string;
}; };
function requireLocalhost(req: any, res: any, next: any) {
const ip = req.ip || (req.socket && req.socket.remoteAddress) || '';
// Normalize IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1)
const normalizedIp = ip.replace(/^::ffff:/, '');
if (normalizedIp !== '127.0.0.1' && normalizedIp !== '::1') {
return res.status(403).json({ success: false, error: 'Forbidden: Access to harness routes is restricted to localhost.' });
}
next();
}
function safeReadJson<T>(path: string): T | null { function safeReadJson<T>(path: string): T | null {
try { try {
if (!existsSync(path)) return null; if (!existsSync(path)) return null;
@ -77,6 +88,7 @@ function getLastCommit(projectRoot: string): GitCommitSummary | null {
export function createHarnessRoutes(projectRoot = process.cwd()): Router { export function createHarnessRoutes(projectRoot = process.cwd()): Router {
const router = Router(); const router = Router();
router.use(requireLocalhost);
router.get('/status', (_req, res) => { router.get('/status', (_req, res) => {
try { try {