git-watchtower 1.10.15 → 1.10.16

package/bin/git-watchtower.js

@@ -2082,6 +2082,14 @@ let server = null;
 
 function createStaticServer() {
   return http.createServer((req, res) => {
+  // DNS-rebinding protection: reject requests with non-loopback Host headers
+  const host = (req.headers.host || '').replace(/:\d+$/, '').toLowerCase();
+  if (host !== 'localhost' && host !== '127.0.0.1' && host !== '[::1]') {
+    res.writeHead(403, { 'Content-Type': 'text/plain' });
+    res.end('Forbidden: invalid Host header');
+    return;
+  }
+
   const url = new URL(req.url, `http://localhost:${PORT}`);
   let pathname = url.pathname;
   const logPath = pathname; // Keep original for logging

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "git-watchtower",
-  "version": "1.10.15",
+  "version": "1.10.16",
   "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
   "main": "bin/git-watchtower.js",
   "bin": {

package/src/server/web.js

@@ -342,6 +342,17 @@ class WebDashboardServer {
    * @private
    */
   _handleRequest(req, res) {
+    // DNS-rebinding protection: only allow requests whose Host header
+    // matches a known loopback address.  Without this, a malicious page
+    // could resolve an attacker-controlled hostname to 127.0.0.1 and
+    // POST to /api/action to trigger destructive actions.
+    const host = (req.headers.host || '').replace(/:\d+$/, '').toLowerCase();
+    if (host !== 'localhost' && host !== '127.0.0.1' && host !== '[::1]') {
+      res.writeHead(403, { 'Content-Type': 'text/plain' });
+      res.end('Forbidden: invalid Host header');
+      return;
+    }
+
     const url = new URL(req.url, `http://localhost:${this.port}`);
     const pathname = url.pathname;