Merge pull request #1434 from hydephp/update-realtime-compiler-dashbo…

…ard-to-block-unsafe-requests Update realtime compiler dashboard to block unsafe requests
hydephp · Nov 7, 2023 · 791da0c · 791da0c
2 parents cf88506 + 5e26dac
commit 791da0c
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/packages/realtime-compiler/src/Http/DashboardController.php b/packages/realtime-compiler/src/Http/DashboardController.php
@@ -88,6 +88,7 @@ public function __construct()
             }
 
             try {
+                $this->blockUnsafeRequests();
                 $this->handlePostRequest();
             } catch (HttpException $exception) {
                 if (! $this->isAsync) {
@@ -472,6 +473,21 @@ protected static function getPackageVersion(string $packageName): string
         return $prettyVersion ?? 'unreleased';
     }
 
+    protected function blockUnsafeRequests(): void
+    {
+        // As the dashboard is not password-protected, and it can make changes to the file system,
+        // we block any requests that are not coming from the host machine. While we are clear
+        // in the documentation that the realtime compiler should only be used for local
+        // development, we still want to be extra careful in case someone forgets.
+
+        $requestIp = $_SERVER['REMOTE_ADDR'];
+        $allowedIps = ['::1', '127.0.0.1', 'localhost'];
+
+        if (! in_array($requestIp, $allowedIps, true)) {
+            $this->abort(403, "Refusing to serve request from address '$requestIp' (must be on localhost)");
+        }
+    }
+
     protected function sendJsonResponse(int $statusCode, string $body): never
     {
         $statusMessage = match ($statusCode) {