Security flaw: server is listening on all IP addresses — even globally accessible about remindme HOT 3 CLOSED

Hey @kseistrup ! First of all, thanks for taking the time to check out my tool, I really appreciate that.

About the security issue: thanks a lot for the report, I double-checked and you are absolutely right - that's quite a surprise for me that the standard Golang net/http server behaves like this. Anyway, it's my bad, so I apologize for that.

I'll work on the fix from now on: the simplest solution was to change

...
	server := &http.Server{Addr: ":" + port, Handler: httpRouter}
	go func() {
		err := server.ListenAndServe()
...

to

...
	server := &http.Server{Addr: "localhost:" + port, Handler: httpRouter}
	go func() {
		err := server.ListenAndServe()
...

but it breaks the notification feature - I'm looking into that now.

Updated: my issue with the restricted to the localhost approach was due to some local OS issues, it works well - created a PR now.

from remindme.

I believe the issue should be patched now by adding a restriction to accept connection only from the localhost.
If you still have time and inspiration, may I ask you to check this on your end, please? I don't have access to the Linux machine, only via VirtualBox, so not sure if that's a 100% accurate representation of the network state:

sudo netstat -anp | grep remindme
tcp        0      0 127.0.0.1:15555         0.0.0.0:*               LISTEN      4475/remindme

from remindme.

Thanks, that's much better: the server is now listening on localhost only. 😸

We should still be aware that this is “safe” only on a single user machine: The remindme server can only be started once (because the port is hard-coded, something that should probably be changed because people may already be using port 15555), so that's good, but if somebody ssh's into a multiuser machine they will be able to add/edit/delete reminders that “belong” to the person who started remindme.

A safe solution is to use a socket for client-server communication. The socket should be owned by the user and preferrably have permissions 0600 (at most 0660). The socket should live in the user's runtime directory: $XDG_RUNTIME_DIR is a good choice, so the full path of the socket could be e.g. $XDG_RUNTIME_DIR/remindme.socket or $XDG_RUNTIME_DIR/remindme-$UID.socket.

If $XDG_RUNTIME_DIR is unset, a directory with similar attributes should be chosen and used:

• The directory must be owned by the user, and
• they must be the only one having read and write access to it.
• Its Unix access mode must be 0700.

See e.g. https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html for the XDG Base Directory Specification.

Summary:

• Listening on localhost:15555 is much better that listening on a globally accessible IP address, however:
• The listening port should be user configurable (I will open a separate issue for this).
• Ideally, on platforms that support it, a socket should be used for client-server communication, and
• Ideally, the socket should be opened in $XDG_RUNTIME_DIR.

🙏

from remindme.