Skip to content

fix(server): enforce ipWhitelist for Socket.IO too#4169

Merged
sdetweil merged 1 commit into
MagicMirrorOrg:developfrom
KristjanESPERANTO:socket
Jun 1, 2026
Merged

fix(server): enforce ipWhitelist for Socket.IO too#4169
sdetweil merged 1 commit into
MagicMirrorOrg:developfrom
KristjanESPERANTO:socket

Conversation

@KristjanESPERANTO
Copy link
Copy Markdown
Collaborator

@KristjanESPERANTO KristjanESPERANTO commented Jun 1, 2026

ipWhitelist was only applied to HTTP routes, so Socket.IO module namespaces could still be reached from disallowed clients.

This adds the same whitelist check to Socket.IO handshakes (allowRequest), and reuses the same client IP resolution for both HTTP and Socket.IO (forwarded IP is only trusted for loopback peers).

Also adds tests for handshake allow/deny and forwarded-header behavior.

Fixes: GHSA-w26r-fwg8-rcp3

@KristjanESPERANTO
fix(server): enforce ipWhitelist for Socket.IO too
8641b9b 
ipWhitelist was only applied to HTTP routes, so Socket.IO module
namespaces could still be reached from disallowed clients.

This adds the same whitelist check to Socket.IO handshakes
(allowRequest), and reuses the same client IP resolution for both
HTTP and Socket.IO (forwarded IP is only trusted for loopback peers).

Also adds tests for handshake allow/deny and forwarded-header behavior.

Fixes: GHSA-w26r-fwg8-rcp3
@sdetweil sdetweil merged commit 58c2a5e into MagicMirrorOrg:develop Jun 1, 2026
12 checks passed
@KristjanESPERANTO KristjanESPERANTO deleted the socket branch June 1, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KristjanESPERANTO @sdetweil