docsify-cli
docsify-cli copied to clipboard
docsifyjs
fix(security): `docsify serve` should only listen on localhost
The local development server spawned by docsify serve listens on all interfaces by default. This might be a security concern when working on an insecure local network.
This PR restricts the server to localhost / 127.0.0.1.
Thanks for the PR 👍 I think it does fallback to the localhost by default. Can you give some more info or any reference for this?
perhaps we can add an optional flag for the serve command where it will set this host and port if required. Need to discuss this a little
In my testing the server was listening on 0.0.0.0, at least on Windows.
I support the idea of an optional flag.
In any case, the console message should not be hard-coded to say localhost but instead the actual IP being listened on. Let me see if I can make these changes in the next few days.
In my testing the server was listening on 0.0.0.0, at least on Windows
Strange 😕 I uses windows too but never faced this. Will try to re-create it if possible.
In any case, the console message should not be hard-coded to say localhost but instead the actual IP being listened on. Let me see if I can make these changes in the next few days.
Yup, this need to be done. I would lean more towards the optional flag cause in general the default behavior of a CLI should be changed using flags. Feel free to investigate and send a new PR. Or I guess you can rebase and squash this one too
The Node.js doc states it defaults to 0.0.0.0.
@solymosi Can you link to a document explaining what the security issue is? The Node.js doc, and the Wiki page it links to, both don't mention anything regarding security.
I don't really see any security concern here: https://serverfault.com/questions/78048/whats-the-difference-between-ip-address-0-0-0-0-and-127-0-0-1
Docsify is intended to be served to the public. The administrator any machine where Docsify is served will need to take care to restrict exposure of the site as they wish.
To that end, having an option to specify the host would be convenient (rather than a hard-coded value of 127.0.0.1). It can be a new host parameter to that function.
function (path, openInBrowser, port, livereloadPort, host = '0.0.0.0') {
or similar.
I've made the requested changes. Also added an --ip option for docsify serve which defaults to 0.0.0.0.
@solymosi Can you link to a document explaining what the security issue is? The Node.js doc, and the Wiki page it links to, both don't mention anything regarding security.
I was initially made aware of the fact that Docsify actually listens on 0.0.0.0 instead of localhost when I received a vulnerability alert from our corporate network scanning service that I had an HTTP service running on my development machine that was exposing a .git folder. This turned out to be a Docsify instance that I was running locally while I was working on some documentation. This is why I mentioned this being a potential security concern, since it could lead to sensitive data exposure from a developer machine that is connected to an untrusted network.
I think displaying the actual listen host (i.e. 0.0.0.0 by default) and making it configurable is a good compromise, since it is a non-breaking change but it still lets more security-conscious users change the IP to 127.0.0.1 if they want.
Hey ! sorry for the delay, Lets do few things before merging it.
- Docs update : added notes in the read (ignore if already done)
- what do you think of making the default to
localhostand then it can be override based on our choice using the flag--ipwhich is introduced in this PR
I use an external machine for development, so this change is an inconvenience with little to no security benefit.
I need this feature to run docsify on a whitelisted hostname. Any updates?
