feat/bind to local #4613
feat/bind to local #4613
Conversation
|
We addressed this before. Just need to document how it works #1397 (comment) |
@sweatybridge is the behavior on by default? |
|
If you mean whether we are only binding to localhost by default, the decision is no. It was done for convenience of testing local mobile apps. #1542 And it would be a breaking change to revert this for existing users. The CVE you mentioned is mostly concerned with folks exposing CLI to the internet. This is a misuse of CLI. In local environments, user laptops are connected to their private trusted network most of the time. Hence, I'd suggest keeping the current behaviour and adding a warning to our docs: If you are running CLI in a public network that you don't trust, you should create a separate docker network and bind to 127.0.0.1 before starting the local stack. docker network create -o 'com.docker.network.bridge.host_binding_ipv4=127.0.0.1' local-network
npx supabase@beta start --network-id local-networkI believe we should lean on docker network because it's more robust than adding our own custom networking config. |
|
@sweatybridge was security asked about this change or was this made in isolation? |
|
Binding to 0.0.0.0 is not a new change. The "new" change introduced 2 years ago was to support custom docker network for users who don't want to bind to 0.0.0.0. I'm happy to review this decision since we now have a security team. But I think the first step should be to update our docs to warn users about exposing services externally if it hasn't been done before. Bear in mind that it's not just mobile apps that need to bind to 0.0.0.0 for local dev, it's also a breaking change for Lens users. |
|
Are we happy to close this as we discussed offline to change the default only when working on cli v3? Feel free to reopen if plans change. |
Proposal to bind CLI services to local IPs (while being configurable). See Linear ticket for context.
Fixes SEC-620