fix(core): bind reflection server to loopback only#5573
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request restricts the reflection server to bind only to the loopback interface, preventing the unauthenticated local development API from being exposed on all interfaces. Feedback suggests explicitly binding to '127.0.0.1' instead of 'localhost' to avoid potential dual-stack (IPv4/IPv6) connectivity issues in Node.js.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
Thanks — applied. Switched the bind from |
evilgensec
force-pushed
the
fix-reflection-server-loopback-bind
branch
from
0a1bd7f to
b84fc9d
Compare
The JS reflection server called server.listen(port, ...) with no host, binding all interfaces (0.0.0.0) even though it logs "localhost" and is an unauthenticated local development API. Bind the explicit IPv4 loopback (127.0.0.1) so the dev server is reachable only from the local machine, matching the Go runtime (the Python runtime binds localhost).
evilgensec
force-pushed
the
fix-reflection-server-loopback-bind
branch
from
b84fc9d to
4580442
Compare
1 participant
Summary
The JS reflection server (
js/core/src/reflection.ts) starts withserver.listen(this.port, ...)and no host argument, so Node binds it to all interfaces (0.0.0.0/::) even though it logs that it is "running on http://localhost" and it is an unauthenticated local development API (it exposes/api/runAction,/api/notify, and other endpoints).The Go (
go/genkit/reflection.go->127.0.0.1) and Python (py/.../_reflection.py->host='localhost') runtimes already bind loopback. This change aligns the JS runtime with them.Change
Pass
'localhost'as the host toserver.listen(...)so the reflection dev server is reachable only from the local machine. This matches the existing log message and the Go/Python behavior, and is transparent to the localgenkitCLI tooling which connects viahttp://localhost:${port}.