fix(ocap-kernel): allow plain ws:// connections for relay dialing#855
Merged
fix(ocap-kernel): allow plain ws:// connections for relay dialing#855
Conversation
The default libp2p WebSocket filter only permits wss:// (TLS) connections. Relays on private networks or behind a reverse proxy often expose plain ws:// endpoints. Use the "all" filter so both ws:// and wss:// multiaddrs are accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Contributor
Coverage Report
File Coverage
|
||||||||||||||||||||||||||||||||||||||
rekmarks
approved these changes
Feb 27, 2026
Member
rekmarks
left a comment
rekmarks
left a comment
There was a problem hiding this comment.
Approving, but we shouldn't be able to use ws:// outside of the use cases mentioned in the PR description. We can keep webSockets({ filter: wsFilters.all }) so the transport handles
ws://, but replace denyDialMultiaddr: async () => false with a function that:
- Allows any
wss://(secure) - Allows
ws://to RFC 1918 / loopback addresses - Allows
ws://to any hostname in a configurable allowedWsHosts list - Denies everything else
github-merge-queue bot
pushed a commit
that referenced
this pull request
Feb 27, 2026
…ed addresses (#857) PR #855 switched `webSockets()` to use `wsFilters.all` to enable plain `ws://` connections for private-network and reverse-proxy relay scenarios. As written, this also allowed `ws://` to any public internet address, sending unencrypted traffic over the open internet. This PR keeps the transport-level change (`wsFilters.all` must stay so the transport handles `ws://` at all) and adds enforcement in `connectionGater.denyDialMultiaddr`. ## Changes - **`types.ts`**: Adds `allowedWsHosts?: string[]` to both `RemoteCommsOptions` and `ConnectionFactoryOptions` — an explicit per-instance list of hostnames/IPs that are trusted for plain `ws://` beyond the always-allowed private ranges. - **`transport.ts`**: Threads `allowedWsHosts` through to `ConnectionFactory.make()`. - **`connection-factory.ts`**: Replaces the `async () => false` stub with real gating logic via two new module-level helpers: - `isPlainWs(ma)` — detects plain `ws://` using `ma.protoNames()` (true only when `ws` is present and neither `wss` nor `tls` is). - `isPrivateAddress(host)` — checks IPv4 loopback (`127.0.0.0/8`), RFC 1918 ranges, IPv6 loopback/ULA/link-local by direct octet comparison (no bitwise operators). - `denyDialMultiaddr` allows `wss://`, WebRTC, and circuit-relay addresses unconditionally; allows `ws://` only to private/loopback IPs or hosts on `allowedWsHosts`; denies everything else. - **`connection-factory.test.ts`**: Replaces the single stub test with a 9-case `it.each` suite covering secure transports, all four private IPv4 ranges, public IP denial, allowlisted/non-allowlisted hostnames, and non-WebSocket multiaddrs. ## Testing The new `connectionGater.denyDialMultiaddr` describe block exercises the gating function directly by passing minimal `Multiaddr`-shaped objects (with `protoNames()` and `toOptions()`) extracted from the `createLibp2p` mock call args. This avoids any libp2p networking and keeps the tests fast and deterministic. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes libp2p connection gating for `ws://` dials, which can impact connectivity if deployments rely on public plaintext WebSocket relays without configuring `allowedWsHosts`. Logic is security-sensitive (transport encryption policy) but narrowly scoped and covered by new table-driven tests. > > **Overview** > Tightens relay dialing security by adding `connectionGater.denyDialMultiaddr` logic that **denies plaintext `ws://` connections to public/unrecognised hosts** while still allowing `wss://` and non-WebSocket transports. > > Introduces a new `allowedWsHosts` option (plumbed from `RemoteCommsOptions` through `transport.ts` into `ConnectionFactory`) to permit specific non-private `ws://` relay hosts when needed, and replaces the prior “allow all” gater stub with RFC-based private/loopback detection plus an allowlist. > > Updates `connection-factory.test.ts` to validate the new gating behavior across private IPv4 ranges, public IP denial, allowlisted hostnames, and non-WebSocket multiaddrs. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0b7674f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@libp2p/websockets/filtersand use theallfilter for the WebSocket transportwss://(TLS) connections, which blocks relays on private networks or behind a reverse proxy that expose plainws://endpointsTest plan
ws://multiaddrs succeeds (previously rejected)wss://relay connections continue to work🤖 Generated with Claude Code
Note
Medium Risk
Changes libp2p transport configuration to permit non-TLS
ws://connections, which can affect connectivity/security expectations when dialing relays. Scope is small but impacts network transport behavior across environments.Overview
Updates the libp2p WebSocket transport configuration in
connection-factory.tsto use@libp2p/websockets/filters.all, allowing relay dialing over plainws://multiaddrs in addition towss://.This removes the previous implicit restriction to secure WebSockets, improving compatibility with private-network/reverse-proxy relays that only expose
ws://endpoints.Written by Cursor Bugbot for commit 73f8293. This will update automatically on new commits. Configure here.