Description
When NemoClaw forwards HTTP_PROXY / HTTPS_PROXY into subprocess environments, withLocalNoProxy() makes sure local requests do not get routed through the proxy.
Right now it only adds:
to NO_PROXY / no_proxy.
This misses IPv6 loopback (::1) and 0.0.0.0. As a result, tools that respect proxy variables may send requests for local IPv6-aware services, such as http://[::1]:PORT, through the configured proxy instead of connecting directly.
This does not appear to be a security bypass, since the proxy also refuses loopback traffic. It is mainly a correctness and developer-experience issue: local services can fail in a confusing way when IPv6 loopback is used.
Affected mirrored files:
src/lib/subprocess-env.tsnemoclaw/src/lib/subprocess-env.ts
Related prior work: #2616 fixed localhost proxy bypass handling, but this issue appears to cover the remaining local host entries rather than duplicating that exact report.
Expected behavior when any HTTP proxy variable is forwarded:
NO_PROXY=localhost,127.0.0.1,::1,0.0.0.0
no_proxy=localhost,127.0.0.1,::1,0.0.0.0
Reproduction Steps
- Inspect
withLocalNoProxy() in src/lib/subprocess-env.ts.
- Create an environment object with a proxy set:
const env = { HTTP_PROXY: "http://proxy.example.com:8888" };
withLocalNoProxy(env);
- Observe that the generated
NO_PROXY value only includes:
- Try a local IPv6 loopback target from a tool that respects
HTTP_PROXY, for example:
- The request can be routed through the proxy instead of bypassing it locally.
Expected result:
localhost,127.0.0.1,::1,0.0.0.0
should be present in both NO_PROXY and no_proxy.
Environment
- OS: Not OS-specific; reproducible from the helper logic directly
- Node.js:
>= 22.16.0
- Docker: Not required for minimal reproduction
- NemoClaw: current
main branch
- Proxy environment:
HTTP_PROXY or HTTPS_PROXY set
Debug Output
Not applicable.
This is a small code-level issue in subprocess environment construction and can be reproduced directly with `withLocalNoProxy()` without a full sandbox debug bundle.
Logs
Current behavior:
NO_PROXY=localhost,127.0.0.1
no_proxy=localhost,127.0.0.1
Expected behavior:
NO_PROXY=localhost,127.0.0.1,::1,0.0.0.0
no_proxy=localhost,127.0.0.1,::1,0.0.0.0
Checklist
Description
When NemoClaw forwards
HTTP_PROXY/HTTPS_PROXYinto subprocess environments,withLocalNoProxy()makes sure local requests do not get routed through the proxy.Right now it only adds:
to
NO_PROXY/no_proxy.This misses IPv6 loopback
(::1)and0.0.0.0. As a result, tools that respect proxy variables may send requests for local IPv6-aware services, such ashttp://[::1]:PORT, through the configured proxy instead of connecting directly.This does not appear to be a security bypass, since the proxy also refuses loopback traffic. It is mainly a correctness and developer-experience issue: local services can fail in a confusing way when IPv6 loopback is used.
Affected mirrored files:
src/lib/subprocess-env.tsnemoclaw/src/lib/subprocess-env.tsRelated prior work: #2616 fixed localhost proxy bypass handling, but this issue appears to cover the remaining local host entries rather than duplicating that exact report.
Expected behavior when any HTTP proxy variable is forwarded:
Reproduction Steps
withLocalNoProxy()insrc/lib/subprocess-env.ts.NO_PROXYvalue only includes:HTTP_PROXY, for example:Expected result:
should be present in both
NO_PROXYandno_proxy.Environment
>= 22.16.0mainbranchHTTP_PROXYorHTTPS_PROXYsetDebug Output
Logs
Checklist