fix(security): block plaintext WebSocket connections to non-loopback addresses (#20803)

* fix(security): block plaintext WebSocket connections to non-loopback addresses Addresses CWE-319 (Cleartext Transmission of Sensitive Information). Previously, ws:// connections to remote hosts were allowed, exposing both credentials and chat data to network interception. This change blocks ALL plaintext ws:// connections to non-loopback addresses, regardless of whether explicit credentials are configured (device tokens may be loaded dynamically). Security policy: - wss:// allowed to any host - ws:// allowed only to loopback (127.x.x.x, localhost, ::1) - ws:// to LAN/tailnet/remote hosts now requires TLS Changes: - Add isSecureWebSocketUrl() validation in net.ts - Block insecure connections in GatewayClient.start() - Block insecure URLs in buildGatewayConnectionDetails() - Handle malformed URLs gracefully without crashing - Update tests to use wss:// for non-loopback URLs Fixes #12519 * fix(test): update gateway-chat mock to preserve net.js exports Use importOriginal to spread actual module exports and mock only the functions needed for testing. This ensures isSecureWebSocketUrl and other exports remain available to the code under test.
2026-03-16 04:20:44 +00:00 · 2026-02-19 05:13:08 -06:00
parent f7a7a28c56
commit 9edec67a18
9 changed files with 272 additions and 24 deletions
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -2018,7 +2018,7 @@ description: test skill
          mode: "remote",
          auth: { token: "local-token-should-not-use" },
          remote: {
-            url: "ws://remote.example.com:18789",
+            url: "wss://remote.example.com:18789",
            token: "remote-token-xyz789",
          },
        },
@@ -2057,7 +2057,7 @@ description: test skill
          mode: "remote",
          auth: { token: "local-token-should-not-use" },
          remote: {
-            url: "ws://remote.example.com:18789",
+            url: "wss://remote.example.com:18789",
            token: "remote-token",
          },
        },
@@ -2094,7 +2094,7 @@ description: test skill
        gateway: {
          mode: "remote",
          remote: {
-            url: "ws://remote.example.com:18789",
+            url: "wss://remote.example.com:18789",
            password: "remote-pass",
          },
        },
@@ -2132,7 +2132,7 @@ description: test skill
        gateway: {
          mode: "remote",
          remote: {
-            url: "ws://remote.example.com:18789",
+            url: "wss://remote.example.com:18789",
            password: "remote-pass",
          },
        },