private-connect 0.4.5 → 0.4.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +4 -3
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -632,10 +632,11 @@ async function runTcpTunnelProxy(tunnelId, wsUrl, localHost, localPort) {
|
|
|
632
632
|
connectionCount++;
|
|
633
633
|
const timestamp = new Date().toLocaleTimeString();
|
|
634
634
|
console.log(` ${c.gray}[${timestamp}]${c.reset} ${c.cyan}TCP${c.reset} connection ${data.connectionId.slice(0, 8)}`);
|
|
635
|
-
// Connect to local service
|
|
635
|
+
// Connect to local service - use validated localHost/localPort, not server-provided values
|
|
636
|
+
// This prevents SSRF attacks where a compromised server could redirect connections
|
|
636
637
|
const localSocket = net.createConnection({
|
|
637
|
-
host:
|
|
638
|
-
port:
|
|
638
|
+
host: localHost,
|
|
639
|
+
port: localPort,
|
|
639
640
|
});
|
|
640
641
|
tcpConnections.set(data.connectionId, localSocket);
|
|
641
642
|
localSocket.on('connect', () => {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "private-connect",
|
|
3
|
-
"version": "0.4.
|
|
3
|
+
"version": "0.4.7",
|
|
4
4
|
"description": "Access private services by name from anywhere. No VPN setup, no firewall rules. Open source alternative to ngrok and Tailscale for service-level connectivity.",
|
|
5
5
|
"bin": {
|
|
6
6
|
"private-connect": "./dist/index.js"
|