fix(transport): exempt loopback hosts from MISSING_TLS / INSECURE_TRANSPORT (#48)#53
Open
dmchaledev wants to merge 1 commit into
Open
fix(transport): exempt loopback hosts from MISSING_TLS / INSECURE_TRANSPORT (#48)#53dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
…NSPORT (#48) MISSING_TLS and INSECURE_TRANSPORT keyed purely off the URL scheme, so any plaintext http:// or ws:// transport bound to a loopback host (localhost, 127.0.0.0/8, ::1) earned a HIGH finding. Loopback traffic never leaves the machine, so there is no network segment on which it could be intercepted — the finding text's "sent in cleartext over the network" claim is factually wrong for loopback, and under --fail-on=high / --exit-code it failed the build on the most common local-dev MCP setup (Claude Desktop, Cursor, VS Code, Windsurf all launch servers on http://localhost). Add an isLoopbackHost() helper (localhost and *.localhost, 127.0.0.0/8, ::1, 0.0.0.0) and guard both rules with it, mirroring the W3C Secure Contexts "potentially trustworthy" carve-out. Non-loopback http:// / ws:// URLs still fire HIGH; https:// / wss:// still pass. Adds tests covering loopback vs. public and lookalike hosts for both rules plus an end-to-end secure-loopback scan, and documents the change in CHANGELOG. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_013wetiH1LxF572ZPsudYYrW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #48.
MISSING_TLSandINSECURE_TRANSPORTkeyed purely off the URL scheme, ignoring the host, so any plaintexthttp://orws://transport bound to a loopback address (localhost,127.0.0.0/8,::1) earned a HIGH finding.Loopback traffic never leaves the machine — there is no network segment on which it could be intercepted — so:
--fail-on=high/--exit-code(the tool's own CI-gate recommendation), a fully-secured local dev server failed the build — andhttp://localhostis the dominant deployment for MCP servers (Claude Desktop, Cursor, VS Code, Windsurf all launch servers locally).This implements Option A from the issue (the maintainer-recommended direction), mirroring the W3C Secure Contexts spec, which classifies
localhost,127.0.0.0/8, and::1as potentially trustworthy.Changes
src/rules/loopback.ts(new):isLoopbackHost(url)helper — parses the host via theURLAPI and matcheslocalhost/*.localhost(RFC 6761),127.0.0.0/8,::1, and0.0.0.0. Returnsfalsefor unparseable URLs and lookalike hosts (e.g.localhost.evil.com).src/rules/auth-rules.ts(MISSING_TLS) andsrc/rules/runtime-rules.ts(INSECURE_TRANSPORT): skip the finding when the transport URL is loopback.src/__tests__/scanner.test.ts: loopback vs. public vs. lookalike coverage for both rules, plus an end-to-end secure-loopback scan assertingpassed: trueand zero HIGH findings.CHANGELOG.md: documents the fix under[Unreleased] → Fixed.Behavior (built CLI)
Acceptance criteria (from #48)
http://localhost/http://127.0.0.1/http://[::1]does not produce a HIGHMISSING_TLS.ws://localhostis handled the same way forINSECURE_TRANSPORT.http:///ws://still fire HIGH;https:///wss://still pass (no regression).Verification
npm run typecheck— cleannpm run lint— clean (--max-warnings 0)npm test— 131 passed (10 new)🤖 Generated with Claude Code
https://claude.ai/code/session_013wetiH1LxF572ZPsudYYrW
Generated by Claude Code