milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
AikidoSec-safe-chain/packages/safe-chain
History
Xander Van Raemdonck 19d2dee5c9
Bind registry proxy to loopback only 
Without an explicit host, `server.listen(0)` binds to every interface,
turning safe-chain's unauthenticated forward proxy into an open relay
while `aikido-*` commands are running. Anyone reachable on the network
can use it to hit the victim's localhost, intranet, or cloud metadata
endpoints. The advertised HTTPS_PROXY URL already used `localhost`
(loopback), but the listener itself was wide open.

Bind to 127.0.0.1 explicitly and update the advertised URL to match.
Add a regression test that verifies the listener refuses connections
on non-loopback interfaces.
2026-04-30 20:37:41 +02:00
..
bin Merge pull request #411 from AikidoSec/feat/dynamic-install-dir 2026-04-16 10:04:25 -07:00
src Bind registry proxy to loopback only 2026-04-30 20:37:41 +02:00
.npmignore Modify release process 2025-09-05 12:01:29 +02:00
package.json Add uvx support 2026-04-14 10:04:10 -04:00
tsconfig.json Type check safe-chain package 2025-11-01 13:06:06 +01:00