search

YunoHost / package_linter

Linter for YunoHost applications packages
https://yunohost.org/#/packaging_apps
GNU Affero General Public License v3.0
17 stars 13 forks source link

add bind_public_ip check #125

Closed OniriCorpe closed 4 months ago

OniriCorpe commented 5 months ago

check if a package config file uses 0.0.0.0 or :: to bind IPs if so, there is a risk of bind a public IP this can result in a security issue as the SSO can be bypassed by knowing a public IP (typically an IPv6) and the app port.

OniriCorpe commented 5 months ago

edit: this comment is not relevant anymore

I don't know how to discriminate just :: from ::1 or fd1d:f00d:1312::aaaa, any idea?

 ⓘ Configuration files

    - config.yaml:134: Binding to '0.0.0.0' or '::' can result in a security issue as the SSO can be bypassed by knowing a public IP (typically an IPv6) and the app port. Please be sure that this behavior is intentional. Maybe use '127.0.0.1' or '::1' instead.
trusted-proxies:
  - "127.0.0.1/32"
  - "::1"

line 134 is - "::1"

OniriCorpe commented 5 months ago

it should be fine now ^w^

thanks to @Psycojoker for the help <3

OniriCorpe commented 5 months ago

I quickly made a list of apps using 0.0.0.0 in their config: (some are legitimate to use it, but most aren't)

YunoHost-Apps/nomad_ynh · conf/nomad.hcl YunoHost-Apps/veloren_ynh · conf/settings.ron YunoHost-Apps/peertube_ynh · conf/production.yaml (null) YunoHost-Apps/mopidy_ynh · conf/app.conf YunoHost-Apps/trilium_ynh · conf/config.ini YunoHost-Apps/transmission_ynh · conf/settings.json YunoHost-Apps/wikijs_ynh · conf/config.sample.yml YunoHost-Apps/matterbridge_ynh · conf/matterbridge.toml.example YunoHost-Apps/teddit_ynh · conf/config.js.template YunoHost-Apps/navidrome_ynh · conf/navidrome.toml YunoHost-Apps/fab-manager_ynh · conf/fab-manager-app.service YunoHost-Apps/mautrix_whatsapp_ynh · conf/config.yaml YunoHost-Apps/gogs_ynh · conf/app.ini YunoHost-Apps/buckets_ynh · conf/systemd.service YunoHost-Apps/shadowsocks_ynh · conf/shadowsocks.json YunoHost-Apps/mautrix_telegram_ynh · conf/config.yaml YunoHost-Apps/nitter_ynh · conf/nitter.conf YunoHost-Apps/unbound_ynh · conf/unbound.conf YunoHost-Apps/headscale_ynh · conf/config.yaml YunoHost-Apps/mautrix_signal_ynh · conf/config.yaml YunoHost-Apps/matrix-appservice-irc_ynh · conf/config.yaml YunoHost-Apps/mautrix_instagram2_ynh · conf/config.yaml YunoHost-Apps/mautrix_facebook_ynh · conf/config.yaml YunoHost-Apps/lemmy_ynh · conf/lemmy-ui.service YunoHost-Apps/mautrix_googlechat_ynh · conf/config.yaml YunoHost-Apps/syncthing_ynh · conf/config.xml YunoHost-Apps/torrelay_ynh · conf/torrc YunoHost-Apps/gemserv_ynh · conf/server.toml YunoHost-Apps/lemmy_ynh · conf/lemmy.hjson YunoHost-Apps/send_ynh · conf/config.js -- fixed in https://github.com/YunoHost-Apps/send_ynh/pull/28 YunoHost-Apps/transpay_ynh · conf/config.ini.j2 YunoHost-Apps/mediagoblin_ynh · conf/paste.ini YunoHost-Apps/rportd_ynh · conf/rportd.example.conf YunoHost-Apps/shinken_ynh · conf/webui2.cfg YunoHost-Apps/tes3mp_ynh · conf/tes3mp-server-default.cfg