third/nanoclaw
1
0
Fork 0
mirror of https://github.com/qwibitai/nanoclaw.git synced 2026-06-12 18:11:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: bind credential proxy to bridge IP, not 0.0.0.0

Browse Source 
Binding to 0.0.0.0 exposed the credential proxy (which holds API
keys/OAuth tokens) to the entire local network. Now binds to the
bridge interface IP (same as CONTAINER_HOST_GATEWAY) so only Apple
Container VMs can reach it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
gavrielc
2026-03-29 00:02:32 +03:00
parent 5c56d4564d
commit 9fc60f6af2
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/container-runtime.ts
+3 -3
View File
@@ -32,11 +32,11 @@ function detectHostGateway(): string {
/**
* Address the credential proxy binds to.
* Apple Container VMs reach the host via the bridge network, so the proxy
* must bind to 0.0.0.0 (or the bridge IP) — not just loopback.
* Binds to the bridge interface IP so only Apple Container VMs can reach it.
* Never 0.0.0.0 — that would expose credentials to the local network.
*/
export const PROXY_BIND_HOST =
process.env.CREDENTIAL_PROXY_HOST || '0.0.0.0';
process.env.CREDENTIAL_PROXY_HOST || CONTAINER_HOST_GATEWAY;
/** CLI args needed for the container to resolve the host gateway. */
export function hostGatewayArgs(): string[] {