milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
AikidoSec-safe-chain/packages/safe-chain/src
History
Xander Van Raemdonck 19d2dee5c9
Bind registry proxy to loopback only 
Without an explicit host, `server.listen(0)` binds to every interface,
turning safe-chain's unauthenticated forward proxy into an open relay
while `aikido-*` commands are running. Anyone reachable on the network
can use it to hit the victim's localhost, intranet, or cloud metadata
endpoints. The advertised HTTPS_PROXY URL already used `localhost`
(loopback), but the listener itself was wide open.

Bind to 127.0.0.1 explicitly and update the advertised URL to match.
Add a regression test that verifies the listener refuses connections
on non-loopback interfaces.
2026-04-30 20:37:41 +02:00
..
api remove trailing slashes and fix test failures 2026-04-01 07:08:30 +00:00
config Some fixes 2026-04-14 16:02:46 -07:00
environment Remove ora dependency 2025-11-25 14:22:31 +01:00
packagemanager Add uvx support 2026-04-14 10:04:10 -04:00
registryProxy Bind registry proxy to loopback only 2026-04-30 20:37:41 +02:00
scanning Make sure rejected promise is not cached in malware list / new packages cache 2026-04-21 09:31:26 +02:00
shell-integration Merge pull request #411 from AikidoSec/feat/dynamic-install-dir 2026-04-16 10:04:25 -07:00
utils PR comments 2026-01-22 08:20:45 +01:00
installLocation.js Some fixes 2026-04-13 13:32:55 -07:00
installLocation.spec.js Cleanup 2026-04-13 11:01:45 -07:00
main.js Adapt per review 2026-03-27 13:17:58 -07:00