diff options
Diffstat (limited to 'internal/config')
| -rw-r--r-- | internal/config/bind.go | 44 | ||||
| -rw-r--r-- | internal/config/bind_test.go | 27 | ||||
| -rw-r--r-- | internal/config/config.go | 6 |
3 files changed, 76 insertions, 1 deletions
diff --git a/internal/config/bind.go b/internal/config/bind.go new file mode 100644 index 0000000..f117385 --- /dev/null +++ b/internal/config/bind.go @@ -0,0 +1,44 @@ +package config + +import ( + "fmt" + "net" +) + +// ValidateBindAddr enforces loopback-by-default binding. It returns an error +// when addr resolves to a non-loopback interface and externalAllowed is false, +// so the server fails loud rather than silently exposing itself. Loopback +// addresses (127.0.0.1, ::1, localhost) always pass. +func ValidateBindAddr(addr string, externalAllowed bool) error { + host, _, err := net.SplitHostPort(addr) + if err != nil { + // No port (or malformed): treat the whole string as the host. + host = addr + } + if isLoopbackHost(host) { + return nil + } + if externalAllowed { + return nil + } + return fmt.Errorf( + "refusing to bind non-loopback address %q: set external_bind_allowed = true to override, "+ + "but prefer fronting external access with a reverse proxy (Tailscale / Cloudflare Access / Caddy)", + addr, + ) +} + +// isLoopbackHost reports whether host is a loopback target. An empty host +// (e.g. ":8484") or 0.0.0.0/:: binds all interfaces and is NOT loopback. +func isLoopbackHost(host string) bool { + switch host { + case "localhost": + return true + case "": + return false + } + if ip := net.ParseIP(host); ip != nil { + return ip.IsLoopback() + } + return false +} diff --git a/internal/config/bind_test.go b/internal/config/bind_test.go new file mode 100644 index 0000000..8e0ab4b --- /dev/null +++ b/internal/config/bind_test.go @@ -0,0 +1,27 @@ +package config + +import "testing" + +func TestValidateBindAddr(t *testing.T) { + cases := []struct { + addr string + external bool + wantErr bool + }{ + {"127.0.0.1:8484", false, false}, // loopback ok + {"localhost:8484", false, false}, // loopback ok + {"[::1]:8484", false, false}, // ipv6 loopback ok + {":8484", false, true}, // all interfaces, not allowed + {"0.0.0.0:8484", false, true}, // all interfaces, not allowed + {"192.168.1.10:8484", false, true}, // LAN ip, not allowed + {":8484", true, false}, // all interfaces, explicitly allowed + {"0.0.0.0:8484", true, false}, // explicitly allowed + {"192.168.1.10:8484", true, false}, // explicitly allowed + } + for _, c := range cases { + err := ValidateBindAddr(c.addr, c.external) + if (err != nil) != c.wantErr { + t.Errorf("ValidateBindAddr(%q, external=%v): err=%v, wantErr=%v", c.addr, c.external, err, c.wantErr) + } + } +} diff --git a/internal/config/config.go b/internal/config/config.go index 58de95c..6f6b958 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -70,6 +70,10 @@ type Config struct { ClaudeConfigDir string `toml:"claude_config_dir"` LocalModel LocalModel `toml:"local_model"` Budget BudgetConfig `toml:"budget"` + // ExternalBindAllowed must be explicitly true to bind a non-loopback address. + // Default external access should go through a reverse proxy (Tailscale / + // Cloudflare Access / Caddy); binding the server directly is a footgun. + ExternalBindAllowed bool `toml:"external_bind_allowed"` } // BudgetConfig configures rolling per-provider spend caps. With no providers @@ -103,7 +107,7 @@ func Default() (*Config, error) { GeminiImage: "claudomator-agent:latest", MaxConcurrent: 3, DefaultTimeout: "15m", - ServerAddr: ":8484", + ServerAddr: "127.0.0.1:8484", WorkspaceRoot: "/workspace", ClaudeConfigDir: "/workspace/claudomator/credentials/claude", }, nil |
