git-watchtower 1.10.15 → 1.10.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/bin/git-watchtower.js +9 -0
  2. package/package.json +1 -1
  3. package/src/server/web.js +11 -0
package/bin/git-watchtower.js CHANGED
@@ -2082,6 +2082,14 @@ let server = null;
2082
2082
 
2083
2083
  function createStaticServer() {
2084
2084
  return http.createServer((req, res) => {
2085
+ // DNS-rebinding protection: reject requests with non-loopback Host headers
2086
+ const host = (req.headers.host || '').replace(/:\d+$/, '').toLowerCase();
2087
+ if (host !== 'localhost' && host !== '127.0.0.1' && host !== '[::1]') {
2088
+ res.writeHead(403, { 'Content-Type': 'text/plain' });
2089
+ res.end('Forbidden: invalid Host header');
2090
+ return;
2091
+ }
2092
+
2085
2093
  const url = new URL(req.url, `http://localhost:${PORT}`);
2086
2094
  let pathname = url.pathname;
2087
2095
  const logPath = pathname; // Keep original for logging
@@ -2522,6 +2530,7 @@ function setupKeyboardInput() {
2522
2530
  const child = spawn('npm', ['i', '-g', 'git-watchtower'], {
2523
2531
  stdio: 'ignore',
2524
2532
  detached: false,
2533
+ shell: process.platform === 'win32',
2525
2534
  });
2526
2535
  child.on('close', (code) => {
2527
2536
  store.setState({ updateInProgress: false, updateModalVisible: false, updateModalSelectedIndex: 0 });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "git-watchtower",
3
- "version": "1.10.15",
3
+ "version": "1.10.17",
4
4
  "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
5
5
  "main": "bin/git-watchtower.js",
6
6
  "bin": {
package/src/server/web.js CHANGED
@@ -342,6 +342,17 @@ class WebDashboardServer {
342
342
  * @private
343
343
  */
344
344
  _handleRequest(req, res) {
345
+ // DNS-rebinding protection: only allow requests whose Host header
346
+ // matches a known loopback address. Without this, a malicious page
347
+ // could resolve an attacker-controlled hostname to 127.0.0.1 and
348
+ // POST to /api/action to trigger destructive actions.
349
+ const host = (req.headers.host || '').replace(/:\d+$/, '').toLowerCase();
350
+ if (host !== 'localhost' && host !== '127.0.0.1' && host !== '[::1]') {
351
+ res.writeHead(403, { 'Content-Type': 'text/plain' });
352
+ res.end('Forbidden: invalid Host header');
353
+ return;
354
+ }
355
+
345
356
  const url = new URL(req.url, `http://localhost:${this.port}`);
346
357
  const pathname = url.pathname;
347
358