CodeNarcServer should listen on localhost only

[maurofaccenda]

Hi, I believe for security reasons, by default the server should listen on localhost only. Listening on any interface could unnecessarily expose the users' system.

[nvuillam]

This is totally true, and whereas the risk to have someone force the linting of groovy files from outside is low, this is a problem that should be solved.
npm-groovy-lint v1 was using local socket connection, but it didn't work on mac and linux, that's why i used "open" port so that every computer was compliant.
I see you forked the repo, are you working on it, or should I add that to my todo list ? 😅

[nvuillam]

This is the solution i initially implemented but was not mac/linux compliant

https://stackoverflow.com/questions/50770747/how-to-configure-com-sun-net-httpserver-to-accept-only-requests-from-localhost

[maurofaccenda]

On my scenario, the computer have policies that doesn't allow any process to listen on any 'external' network interface. So the CodeNarcServer fails to run. To overcome that locally, I've changed the options.js to use http://127.0.0.1 as default serverhost.

That probably would work on any system (I tested on Mac), except if it has IPv4 disabled (if that's the case it should use http://::1). It could work on both cases if we use http://localhost. But I didn't try.

If you want to find a better approach, I am willing to try on both Mac and Linux and make sure it works. :)

[maurofaccenda]

I see you forked the repo, are you working on it, or should I add that to my todo list ? 😅

I'm no JS dev. But I if the suggestion I've made just before works for you, I can create a PR.

Btw, I forgot to thank you for the projects, I've been looking for something like that for quite some time :)

[nvuillam]

I'll try to make such update in a beta version and ask you to try :)

I have CI on Windows & Linux, but for mac CircleCI is paying so your help will be welcome :)

[nvuillam]

I tried an update and it seems to be ok on Windows and Linux

Please can you try the following, and confirm that :

• it works :)
• CodeNarcServer is called and performances are not impacted compared to current released version

npm install -g npm-groovy-lint@5.2.0-beta.0
npm-groovy-lint --killserver
npm-groovy-lint

Many thanks :)

[nvuillam]

@maurofaccenda , any news ? :)

[maurofaccenda]

@nvuillam hey. i've really busy this week. i'll give it a try as soon as i can get some spare time to try it (my work env -- where i have a mac -- is really strict, so it takes some effort to run stuff like this). i'll give a shout as soon as possible.

[nvuillam]

Thanks :) Le mar. 30 juin 2020 à 13:07, Mauro Faccenda <notifications@github.com> a écrit :

…

@nvuillam <https://github.com/nvuillam> hey. i've really busy this week. i'll give it a try as soon as i can get some spare time to try it (my work env -- where i have a mac -- is really strict, so it takes some effort to run stuff like this). i'll give a shout as soon as possible. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#56 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEFQSDTQBG6K757BV4JKETLRZHBPTANCNFSM4OFZCAKA> .

[maurofaccenda]

I've managed to test. It worked out of the box. But it seem to listen on all interfaces (0.0.0.0:7484).

[nvuillam]

Thanks for your test ! It works on Windows & Linux too, so ... let's have a leap of faith :)

I implemented https://stackoverflow.com/questions/50770747/how-to-configure-com-sun-net-httpserver-to-accept-only-requests-from-localhost , 4 likes for the answer, and the author seems to be a java expert and has a very high reputation on stackexchange (best 0.01%) so let's trust him :D

It seems that listen != accept, so even if it listens to maybe more than localhost, it will accept only from localhost

But if you hear of a stronger way, don't hesitate to reopen the issue :)

[nvuillam]

Published in v5.4.0 :)