refactor(security): unify local-host and tailnet CIDR checks

2026-05-08 23:48:28 +00:00 · 2026-02-22 17:20:20 +01:00
parent 21cbf59509
commit f14ebd743c
7 changed files with 63 additions and 31 deletions
--- a/src/gateway/net.ts
+++ b/src/gateway/net.ts
@@ -334,6 +334,19 @@ export function isLoopbackHost(host: string): boolean {
  return isLoopbackAddress(unbracket);
 }

+/**
+ * Local-facing host check for inbound requests:
+ * - loopback hosts (localhost/127.x/::1 and mapped forms)
+ * - Tailscale Serve/Funnel hostnames (*.ts.net)
+ */
+export function isLocalishHost(hostHeader?: string): boolean {
+  const host = resolveHostName(hostHeader);
+  if (!host) {
+    return false;
+  }
+  return isLoopbackHost(host) || host.endsWith(".ts.net");
+}
+
 /**
 * Security check for WebSocket URLs (CWE-319: Cleartext Transmission of Sensitive Information).
 *