Summary
The OAuth callback server validates state parameter but does not validate the Host header or HTTP method, which could enable certain attacks.
Affected Files
src/services/x-auth.ts (lines 100-140)
Vulnerable Code
private startCallbackServer(expectedState: string, authUrl: string): Promise<string> {
return new Promise((resolve, reject) => {
const server = createServer((req: IncomingMessage, res: ServerResponse) => {
const url = new URL(req.url || '', \`http://\${req.headers.host}\`);
if (url.pathname === '/callback') {
const code = url.searchParams.get('code');
const state = url.searchParams.get('state');
// ...
if (!code || state !== expectedState) {
// Reject...Why It's a Security Risk
- No Host header verification - attacker could craft redirects with different Host headers
- No HTTP method validation - should only accept GET requests
- Combined with network binding issue, increases attack surface
Recommended Fix
if (req.method !== 'GET') {
res.writeHead(405);
res.end('Method Not Allowed');
return;
}
const expectedHost = \`127.0.0.1:\${CALLBACK_PORT}\`;
if (req.headers.host !== expectedHost) {
res.writeHead(400);
res.end('Invalid Host header');
return;
}Priority
MEDIUM - Additional defense-in-depth for OAuth flow.
Summary
The OAuth callback server validates state parameter but does not validate the Host header or HTTP method, which could enable certain attacks.
Affected Files
src/services/x-auth.ts(lines 100-140)Vulnerable Code
Why It's a Security Risk
Recommended Fix
Priority
MEDIUM - Additional defense-in-depth for OAuth flow.