From 4f043f9576bbda13b16ae47981fd77151a199fad Mon Sep 17 00:00:00 2001 From: Felipe Augusto Rieck Date: Mon, 4 Aug 2025 16:34:20 -0300 Subject: [PATCH 1/3] Securing websockets --- src/api/integrations/event/websocket/websocket.controller.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/api/integrations/event/websocket/websocket.controller.ts b/src/api/integrations/event/websocket/websocket.controller.ts index a1cef2db..c0d3e5de 100644 --- a/src/api/integrations/event/websocket/websocket.controller.ts +++ b/src/api/integrations/event/websocket/websocket.controller.ts @@ -28,10 +28,11 @@ export class WebsocketController extends EventController implements EventControl allowRequest: async (req, callback) => { try { const url = new URL(req.url || '', 'http://localhost'); + const isInternalConnection = req.socket.remoteAddress === '127.0.0.1' || req.socket.remoteAddress === '::1'; const params = new URLSearchParams(url.search); // Permite conexões internas do Socket.IO (EIO=4 é o Engine.IO v4) - if (params.has('EIO')) { + if (params.has('EIO') && isInternalConnection) { return callback(null, true); } From d4eb61f64d9fe263270146926e973018cf803880 Mon Sep 17 00:00:00 2001 From: Felipe Augusto Rieck Date: Mon, 4 Aug 2025 18:14:33 -0300 Subject: [PATCH 2/3] Improving localhost check --- .../integrations/event/websocket/websocket.controller.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/api/integrations/event/websocket/websocket.controller.ts b/src/api/integrations/event/websocket/websocket.controller.ts index c0d3e5de..f7250b7a 100644 --- a/src/api/integrations/event/websocket/websocket.controller.ts +++ b/src/api/integrations/event/websocket/websocket.controller.ts @@ -28,11 +28,14 @@ export class WebsocketController extends EventController implements EventControl allowRequest: async (req, callback) => { try { const url = new URL(req.url || '', 'http://localhost'); - const isInternalConnection = req.socket.remoteAddress === '127.0.0.1' || req.socket.remoteAddress === '::1'; const params = new URLSearchParams(url.search); + const remoteAddress = req.socket.remoteAddress; + const isLocalhost = + remoteAddress === '127.0.0.1' || remoteAddress === '::1' || remoteAddress === '::ffff:127.0.0.1'; + // Permite conexões internas do Socket.IO (EIO=4 é o Engine.IO v4) - if (params.has('EIO') && isInternalConnection) { + if (params.has('EIO') && isLocalhost) { return callback(null, true); } From fb11f3f99cc19bf1631cb42538e29eb46cb87484 Mon Sep 17 00:00:00 2001 From: Felipe Augusto Rieck Date: Mon, 4 Aug 2025 18:19:14 -0300 Subject: [PATCH 3/3] Code quality --- src/api/integrations/event/websocket/websocket.controller.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/api/integrations/event/websocket/websocket.controller.ts b/src/api/integrations/event/websocket/websocket.controller.ts index f7250b7a..3f4afd9b 100644 --- a/src/api/integrations/event/websocket/websocket.controller.ts +++ b/src/api/integrations/event/websocket/websocket.controller.ts @@ -30,7 +30,7 @@ export class WebsocketController extends EventController implements EventControl const url = new URL(req.url || '', 'http://localhost'); const params = new URLSearchParams(url.search); - const remoteAddress = req.socket.remoteAddress; + const { remoteAddress } = req.socket; const isLocalhost = remoteAddress === '127.0.0.1' || remoteAddress === '::1' || remoteAddress === '::ffff:127.0.0.1';