summaryrefslogtreecommitdiff
path: root/internal/config
diff options
context:
space:
mode:
Diffstat (limited to 'internal/config')
-rw-r--r--internal/config/bind.go44
-rw-r--r--internal/config/bind_test.go27
-rw-r--r--internal/config/config.go6
3 files changed, 76 insertions, 1 deletions
diff --git a/internal/config/bind.go b/internal/config/bind.go
new file mode 100644
index 0000000..f117385
--- /dev/null
+++ b/internal/config/bind.go
@@ -0,0 +1,44 @@
+package config
+
+import (
+ "fmt"
+ "net"
+)
+
+// ValidateBindAddr enforces loopback-by-default binding. It returns an error
+// when addr resolves to a non-loopback interface and externalAllowed is false,
+// so the server fails loud rather than silently exposing itself. Loopback
+// addresses (127.0.0.1, ::1, localhost) always pass.
+func ValidateBindAddr(addr string, externalAllowed bool) error {
+ host, _, err := net.SplitHostPort(addr)
+ if err != nil {
+ // No port (or malformed): treat the whole string as the host.
+ host = addr
+ }
+ if isLoopbackHost(host) {
+ return nil
+ }
+ if externalAllowed {
+ return nil
+ }
+ return fmt.Errorf(
+ "refusing to bind non-loopback address %q: set external_bind_allowed = true to override, "+
+ "but prefer fronting external access with a reverse proxy (Tailscale / Cloudflare Access / Caddy)",
+ addr,
+ )
+}
+
+// isLoopbackHost reports whether host is a loopback target. An empty host
+// (e.g. ":8484") or 0.0.0.0/:: binds all interfaces and is NOT loopback.
+func isLoopbackHost(host string) bool {
+ switch host {
+ case "localhost":
+ return true
+ case "":
+ return false
+ }
+ if ip := net.ParseIP(host); ip != nil {
+ return ip.IsLoopback()
+ }
+ return false
+}
diff --git a/internal/config/bind_test.go b/internal/config/bind_test.go
new file mode 100644
index 0000000..8e0ab4b
--- /dev/null
+++ b/internal/config/bind_test.go
@@ -0,0 +1,27 @@
+package config
+
+import "testing"
+
+func TestValidateBindAddr(t *testing.T) {
+ cases := []struct {
+ addr string
+ external bool
+ wantErr bool
+ }{
+ {"127.0.0.1:8484", false, false}, // loopback ok
+ {"localhost:8484", false, false}, // loopback ok
+ {"[::1]:8484", false, false}, // ipv6 loopback ok
+ {":8484", false, true}, // all interfaces, not allowed
+ {"0.0.0.0:8484", false, true}, // all interfaces, not allowed
+ {"192.168.1.10:8484", false, true}, // LAN ip, not allowed
+ {":8484", true, false}, // all interfaces, explicitly allowed
+ {"0.0.0.0:8484", true, false}, // explicitly allowed
+ {"192.168.1.10:8484", true, false}, // explicitly allowed
+ }
+ for _, c := range cases {
+ err := ValidateBindAddr(c.addr, c.external)
+ if (err != nil) != c.wantErr {
+ t.Errorf("ValidateBindAddr(%q, external=%v): err=%v, wantErr=%v", c.addr, c.external, err, c.wantErr)
+ }
+ }
+}
diff --git a/internal/config/config.go b/internal/config/config.go
index 58de95c..6f6b958 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -70,6 +70,10 @@ type Config struct {
ClaudeConfigDir string `toml:"claude_config_dir"`
LocalModel LocalModel `toml:"local_model"`
Budget BudgetConfig `toml:"budget"`
+ // ExternalBindAllowed must be explicitly true to bind a non-loopback address.
+ // Default external access should go through a reverse proxy (Tailscale /
+ // Cloudflare Access / Caddy); binding the server directly is a footgun.
+ ExternalBindAllowed bool `toml:"external_bind_allowed"`
}
// BudgetConfig configures rolling per-provider spend caps. With no providers
@@ -103,7 +107,7 @@ func Default() (*Config, error) {
GeminiImage: "claudomator-agent:latest",
MaxConcurrent: 3,
DefaultTimeout: "15m",
- ServerAddr: ":8484",
+ ServerAddr: "127.0.0.1:8484",
WorkspaceRoot: "/workspace",
ClaudeConfigDir: "/workspace/claudomator/credentials/claude",
}, nil