github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 18:18:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): unify local-host and tailnet CIDR checks

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 17:20:20 +01:00
parent 21cbf59509
commit f14ebd743c
7 changed files with 63 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/gateway/auth.ts
View File

@@ -12,9 +12,9 @@ import {
type RateLimitCheckResult,
} from "./auth-rate-limit.js";
import {
isLocalishHost,
isLoopbackAddress,
isTrustedProxyAddress,
resolveHostName,
resolveClientIp,
} from "./net.js";
@@ -133,10 +133,6 @@ export function isLocalDirectRequest(
return false;
}
const host = resolveHostName(req.headers?.host);
const hostIsLocal = host === "localhost" || host === "127.0.0.1" || host === "::1";
const hostIsTailscaleServe = host.endsWith(".ts.net");
const hasForwarded = Boolean(
req.headers?.["x-forwarded-for"] ||
req.headers?.["x-real-ip"] ||
@@ -144,7 +140,7 @@ export function isLocalDirectRequest(
);
const remoteIsTrustedProxy = isTrustedProxyAddress(req.socket?.remoteAddress, trustedProxies);
return (hostIsLocal || hostIsTailscaleServe) && (!hasForwarded || remoteIsTrustedProxy);
return isLocalishHost(req.headers?.host) && (!hasForwarded || remoteIsTrustedProxy);
}
function getTailscaleUser(req?: IncomingMessage): TailscaleUser | null {