Merge pull request #17 from kiwicom/prevent-localhost

Improve localhost binding

Author: repli2dev

README.md

@@ -2,6 +2,11 @@
 
 🛠️️ CLI tool to easily bind localhost network interface with additional IP and ensure matching record in /etc/hosts.
 
+> [!WARNING]  
+> **This tool should only be used in local environments and should not be used in production.**
+> 
+> **It is crucial to use this tool only on projects (configs) under your control as it can seriously compromise your /etc/hosts file.**
+
 This is a helper tool to be installed via `composer global` to machines where the localhost deployment process of
 Docker composition (via `docker-compose.yaml`) is prepared in a way that it binds the ports on IP from localhost subnet block and multiple of such
 compositions should be allowed to run in parallel (differentiated by the IP).

src/Config/Config.php

@@ -3,6 +3,7 @@
 namespace Kiwicom\Loopbind\Config;
 
 use JsonSerializable;
+use Kiwicom\Loopbind\Helpers\IPHelpers;
 use function array_map;
 use function filter_var;
 use function is_array;
@@ -36,8 +37,11 @@ public function __construct(
         if (is_array($hostname)) {
             array_map(fn (string $host): bool => filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false ?
                 throw new \Kiwicom\Loopbind\Exceptions\InvalidHostnameException("Value `{$host}` is not valid hostname.") : true, $hostname);
+
+            array_map(fn (string $hostname): bool => IPHelpers::isForbiddenDomain($hostname) ?
+                    throw new \Kiwicom\Loopbind\Exceptions\InvalidHostnameException("Hostname `{$hostname}` is forbidden by this tool.") : true, $hostname);
         }
-        if ($hostname === 'localhost') {
+        if (is_string($hostname) && IPHelpers::isForbiddenDomain($hostname)) {
             throw new \Kiwicom\Loopbind\Exceptions\InvalidHostnameException("Hostname `{$hostname}` is forbidden by this tool.");
         }
 

src/Helpers/IPHelpers.php

@@ -34,4 +34,31 @@ public static function findRandomFreeLocalIP(): string
         }
         throw new UnableToFindUnreferencedIPAddressException();
     }
+
+    /**
+     * Returns true iff the given URL is a forbidden domain
+     * @param string $url
+     * @return bool
+     */
+    public static function isForbiddenDomain(string $url): bool
+    {
+        $url = mb_strtolower($url);
+        $forbidden = [
+            'localhost',
+            'localhost4',
+            'localhost6',
+            'localhost.localdomain',
+            'localhost4.localdomain4',
+            'localhost6.localdomain6',
+            'ip6-localhost',
+            'ip6-loopback',
+            'ip6-localnet',
+            'ip6-mcastprefix',
+            'ip6-allnodes',
+            'ip6-allrouters',
+            'ip6-allhosts',
+            'broadcasthost'
+        ];
+        return in_array($url, $forbidden, true);
+    }
 }

tests/Config/ConfigTest.php

@@ -44,4 +44,10 @@ public function testInvalidHostname2(): void
         $this->expectException(\Kiwicom\Loopbind\Exceptions\InvalidHostnameException::class);
         new Config('127.0.0.12', 'č.test');
     }
+
+    public function testInvalidHostname3(): void
+    {
+        $this->expectException(\Kiwicom\Loopbind\Exceptions\InvalidHostnameException::class);
+        new Config('127.0.0.12', ['localhost']);
+    }
 }