github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 09:41:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block plaintext WebSocket connections to non-loopback addresses (#20803)

Browse Source 
* fix(security): block plaintext WebSocket connections to non-loopback addresses

Addresses CWE-319 (Cleartext Transmission of Sensitive Information).

Previously, ws:// connections to remote hosts were allowed, exposing
both credentials and chat data to network interception. This change
blocks ALL plaintext ws:// connections to non-loopback addresses,
regardless of whether explicit credentials are configured (device
tokens may be loaded dynamically).

Security policy:
- wss:// allowed to any host
- ws:// allowed only to loopback (127.x.x.x, localhost, ::1)
- ws:// to LAN/tailnet/remote hosts now requires TLS

Changes:
- Add isSecureWebSocketUrl() validation in net.ts
- Block insecure connections in GatewayClient.start()
- Block insecure URLs in buildGatewayConnectionDetails()
- Handle malformed URLs gracefully without crashing
- Update tests to use wss:// for non-loopback URLs

Fixes #12519

* fix(test): update gateway-chat mock to preserve net.js exports

Use importOriginal to spread actual module exports and mock only
the functions needed for testing. This ensures isSecureWebSocketUrl
and other exports remain available to the code under test.
This commit is contained in:
Jay Caldwell
2026-02-19 05:13:08 -06:00
committed by GitHub
parent f7a7a28c56
commit 9edec67a18
9 changed files with 272 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/gateway/net.test.ts
View File

@@ -2,6 +2,7 @@ import os from "node:os";
import { afterEach, describe, expect, it, vi } from "vitest";
import {
isPrivateOrLoopbackAddress,
isSecureWebSocketUrl,
isTrustedProxyAddress,
pickPrimaryLanIPv4,
resolveGatewayListenHosts,
@@ -237,3 +238,42 @@ describe("isPrivateOrLoopbackAddress", () => {
}
});
});
describe("isSecureWebSocketUrl", () => {
describe("wss:// (TLS) URLs", () => {
it("returns true for wss:// regardless of host", () => {
expect(isSecureWebSocketUrl("wss://127.0.0.1:18789")).toBe(true);
expect(isSecureWebSocketUrl("wss://localhost:18789")).toBe(true);
expect(isSecureWebSocketUrl("wss://remote.example.com:18789")).toBe(true);
expect(isSecureWebSocketUrl("wss://192.168.1.100:18789")).toBe(true);
});
});
describe("ws:// (plaintext) URLs", () => {
it("returns true for ws:// to loopback addresses", () => {
expect(isSecureWebSocketUrl("ws://127.0.0.1:18789")).toBe(true);
expect(isSecureWebSocketUrl("ws://localhost:18789")).toBe(true);
expect(isSecureWebSocketUrl("ws://[::1]:18789")).toBe(true);
expect(isSecureWebSocketUrl("ws://127.0.0.42:18789")).toBe(true);
});
it("returns false for ws:// to non-loopback addresses (CWE-319)", () => {
expect(isSecureWebSocketUrl("ws://remote.example.com:18789")).toBe(false);
expect(isSecureWebSocketUrl("ws://192.168.1.100:18789")).toBe(false);
expect(isSecureWebSocketUrl("ws://10.0.0.5:18789")).toBe(false);
expect(isSecureWebSocketUrl("ws://100.64.0.1:18789")).toBe(false);
});
});
describe("invalid URLs", () => {
it("returns false for invalid URLs", () => {
expect(isSecureWebSocketUrl("not-a-url")).toBe(false);
expect(isSecureWebSocketUrl("")).toBe(false);
});
it("returns false for non-WebSocket protocols", () => {
expect(isSecureWebSocketUrl("http://127.0.0.1:18789")).toBe(false);
expect(isSecureWebSocketUrl("https://127.0.0.1:18789")).toBe(false);
});
});
});