cider-jack-in starts a network repl that listens on all interfaces without authentication

[erno]

This is a security vulnerability as there is no authentication. As I understand it, CIDER now lets anyone from the internet connect to the REPL and execute code. Leiningen doesn't seem to have this problem, there "lein repl :headless" uses localhost by default.

(Allowing any user/process from localhost to run code without authentication is also a vulnerability but a smaller one.)

I installed cider from melpa unstable last week, cider-version returns "CIDER 0.18.1snapshot (package: 20180930.1836)"

I don't know elisp but are the default values in defcustom on the first line? In this case, the line at

cider/cider.el

Line 111 in a5cbaef

"repl :headless :host ::"

should be changed to say :host localhost (and or authentication & TLS added to the repl).

[bbatsov]

I thought that :: was just some alias for localhost that was using IPv6 instead. I guess that might not be the case. :-)

You can also check nrepl/nrepl#46 where we're working on adding some basic local authorization mechanism for nREPL.

[bbatsov]

Ops, turns out that's actually ::1.

should be changed to say :host localhost (and or authentication & TLS added to the repl).

Isn't this the same as just removing :host?

[erno]

Yes, removing :host seems to do the same thing.

Good that there is authorization coming!

[bbatsov]

Btw, I just remembered we did this change because of that bug report https://dev.clojure.org/jira/browse/NREPL-83

Now I'm really puzzled what's the best approach here, as it seems that :: does not mean "any local", but I can't also find online anything like this. //cc @hanshuebner

[hanshuebner]

Nice find, @bbatsov! I would not have been suspecting that this issue is connected to my usage of :: as the localhost address so that it works consistently with both IPv4 and IPv6.

{:user {:repl-options {:host "::"}}}

The address :: is specified to be the "unspecified address" according to RFC3513 and according to the JVM Networking IPv6 User Guide the JVM interprets that address while listening to mean that both IPv4 and IPv6 connections on any local interface:

Unspecified address (:: corresponding to 0.0.0.0 in IPv4)

This is also called anylocal or wildcard address. If a socket is bound to an IPv6 anylocal address on a dual-stack machine, it can accept both IPv6 and IPv4 traffic; if it is bound to an IPv4 (IPv4-mapped) anylocal address, it can only accept IPv4 traffic. The Java runtime always tries to bind to IPv6 anylocal address on a dual-stack machine unless a related system property is set to use IPv4 Stack.

When bound to ::, the method ServerSocket.accept accept connections from both IPv6 or IPv4 hosts. The Java platform API currently has no way to specify to accept connections only from IPv6 hosts.

[hanshuebner]

I need to add that even if I remove the {:host "::"} clause from my profile, the problem stays the same.

[bbatsov]

@hanshuebner Likely because starting with 0.2.13 :: is the default address on which nREPL listens to. Which means that generally we should come up with a better default for nREPL if :: really is a security risk.

[hanshuebner]

I see. It seems that there is no way to listen just for the two localhost addresses (::1 and 127.0.0.1) and ::, unlike my expectation, basically does the same thing as listening with the local address completely unspecified. I agree that listening for remote connections with no additional security measures in place is a bad default that should be changed.

I've tried to add {:host "localhost"} to my leiningen user profile, but the original problem persists even then.

[bbatsov]

Fixed in nREPL as well.