Security Finding: No Relay URL Validation
Severity: Medium
Component: Relay communication (relay.js, cmd.js)
Description
The relay URL is used directly in HTTP requests without validation. The plugin connects to the relay server to claim pair tokens, check in, and publish events.
No validation is performed on the relay URL:
- No certificate pinning
- No HTTPS enforcement (HTTP URLs accepted)
- No URL scheme validation
- No host allowlist
Default Relay
The default relay URL is hardcoded:
// cmd.js line 270
"https://whisper.clankercontext.com"
Impact
- MITM attacks: An attacker on the network path can intercept the HMAC secret during the checkin/publish flow
- Typosquatting: If a user mistypes the relay URL, the plugin will send credentials to an attacker-controlled server
- No downgrade protection: Plugin does not enforce HTTPS
Evidence
From relay.js:
async function call(root, path, body) {
const url = new URL(path, slash(root)); // Direct URL construction, no validation
const res = await fetch(url, {
method: "POST",
// ... no certificate validation options
});
}Recommendation
- Enforce HTTPS by rejecting non-HTTPS relay URLs
- Consider TOFU (Trust On First Use) for the relay certificate
- Add URL validation (scheme, host format)
- Document expected relay server identity for verification
References
- File:
dist/src/relay.js (call function)
- File:
dist/src/cmd.js (envRelay function, line 267-271)
Security Finding: No Relay URL Validation
Severity: Medium
Component: Relay communication (
relay.js,cmd.js)Description
The relay URL is used directly in HTTP requests without validation. The plugin connects to the relay server to claim pair tokens, check in, and publish events.
No validation is performed on the relay URL:
Default Relay
The default relay URL is hardcoded:
Impact
Evidence
From
relay.js:Recommendation
References
dist/src/relay.js(call function)dist/src/cmd.js(envRelay function, line 267-271)