fix: 移除 DNS rebinding 防御（Bearer token 认证已足够）

src/server/app.ts

@@ -8,7 +8,6 @@ import { config } from '../config/index.js';
 import { BrowserManager, browserManager } from '../browser/manager.js';
 import { logger } from '../utils/logger.js';
 import {
-  dnsRebindingGuard,
   shutdownGuard,
   errorHandler,
   bearerAuth,
@@ -88,7 +87,6 @@ export class AppServer {
     this.app.use(express.json());
 
     // 2. Security & availability middleware
-    this.app.use(dnsRebindingGuard);
     this.app.use(shutdownGuard(() => this.shuttingDown));
 
     // 3. MCP server

src/server/middleware.ts

@@ -12,40 +12,7 @@ import { sanitizeErrorMessage } from '../utils/errors.js';
 // Allowed hosts for DNS rebinding protection
 // ---------------------------------------------------------------------------
 
-const allowedHosts = new Set<string>([
-  '127.0.0.1',
-  'localhost',
-  `127.0.0.1:${config.port}`,
-  `localhost:${config.port}`,
-]);
-
-// ---------------------------------------------------------------------------
-// 1. DNS Rebinding Guard
-// ---------------------------------------------------------------------------
-
-/**
- * Reject requests whose `Host` header does not match an expected localhost
- * value. This prevents DNS rebinding attacks from reaching the service when
- * it is bound to the loopback interface.
- */
-export function dnsRebindingGuard(
-  req: Request,
-  res: Response,
-  next: NextFunction,
-): void {
-  const host = req.headers.host;
-
-  if (!host || !allowedHosts.has(host)) {
-    logger.warn(
-      { host, ip: req.ip, method: req.method, url: req.originalUrl },
-      'DNS rebinding guard: blocked request with disallowed Host header',
-    );
-    res.status(403).json({ error: 'Forbidden' });
-    return;
-  }
-
-  next();
-}
+// DNS rebinding guard removed — Bearer token auth is sufficient
 
 // ---------------------------------------------------------------------------
 // 2. Shutdown Guard (factory)

test/middleware.test.ts

@@ -1,153 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-
-// ---------------------------------------------------------------------------
-// Mocks -- must be declared before importing the module under test.
-// ---------------------------------------------------------------------------
-
-// The middleware module reads `config.port` at module scope to build the
-// allowedHosts set, so we need the mock in place before the import.
-vi.mock('../src/config/index.js', () => ({
-  config: {
-    port: 3000,
-  },
-}));
-
-vi.mock('../src/utils/logger.js', () => ({
-  logger: {
-    error: vi.fn(),
-    warn: vi.fn(),
-    info: vi.fn(),
-    debug: vi.fn(),
-    child: vi.fn(() => ({
-      error: vi.fn(),
-      warn: vi.fn(),
-      info: vi.fn(),
-      debug: vi.fn(),
-    })),
-  },
-}));
-
-vi.mock('../src/utils/errors.js', () => ({
-  sanitizeErrorMessage: vi.fn((msg: string) => msg),
-}));
-
-import { dnsRebindingGuard } from '../src/server/middleware.js';
-
-// ---------------------------------------------------------------------------
-// Helpers -- lightweight Express req/res/next fakes
-// ---------------------------------------------------------------------------
-
-interface FakeRequest {
-  headers: Record<string, string | undefined>;
-  ip?: string;
-  method?: string;
-  originalUrl?: string;
-}
-
-interface FakeResponse {
-  statusCode: number;
-  body: unknown;
-  status: (code: number) => FakeResponse;
-  json: (data: unknown) => FakeResponse;
-}
-
-function createReq(host?: string): FakeRequest {
-  return {
-    headers: host !== undefined ? { host } : {},
-    ip: '127.0.0.1',
-    method: 'GET',
-    originalUrl: '/test',
-  };
-}
-
-function createRes(): FakeResponse {
-  const res: FakeResponse = {
-    statusCode: 200,
-    body: undefined,
-    status(code: number) {
-      res.statusCode = code;
-      return res;
-    },
-    json(data: unknown) {
-      res.body = data;
-      return res;
-    },
-  };
-  return res;
-}
-
-// ---------------------------------------------------------------------------
-// dnsRebindingGuard
-// ---------------------------------------------------------------------------
-
-describe('dnsRebindingGuard', () => {
-  let next: ReturnType<typeof vi.fn>;
-
-  beforeEach(() => {
-    next = vi.fn();
-  });
-
-  it('allows requests with Host: 127.0.0.1', () => {
-    const req = createReq('127.0.0.1');
-    const res = createRes();
-
-    dnsRebindingGuard(req as any, res as any, next);
-
-    expect(next).toHaveBeenCalledTimes(1);
-    expect(res.statusCode).toBe(200);
-  });
-
-  it('allows requests with Host: localhost', () => {
-    const req = createReq('localhost');
-    const res = createRes();
-
-    dnsRebindingGuard(req as any, res as any, next);
-
-    expect(next).toHaveBeenCalledTimes(1);
-  });
-
-  it('allows requests with Host: localhost:<PORT>', () => {
-    const req = createReq('localhost:3000');
-    const res = createRes();
-
-    dnsRebindingGuard(req as any, res as any, next);
-
-    expect(next).toHaveBeenCalledTimes(1);
-  });
-
-  it('allows requests with Host: 127.0.0.1:<PORT>', () => {
-    const req = createReq('127.0.0.1:3000');
-    const res = createRes();
-
-    dnsRebindingGuard(req as any, res as any, next);
-
-    expect(next).toHaveBeenCalledTimes(1);
-  });
-
-  it('blocks requests with Host: evil.com', () => {
-    const req = createReq('evil.com');
-    const res = createRes();
-
-    dnsRebindingGuard(req as any, res as any, next);
-
-    expect(next).not.toHaveBeenCalled();
-    expect(res.statusCode).toBe(403);
-    expect(res.body).toEqual({ error: 'Forbidden' });
-  });
-
-  it('blocks requests with no Host header', () => {
-    const req: FakeRequest = {
-      headers: {},
-      ip: '127.0.0.1',
-      method: 'GET',
-      originalUrl: '/test',
-    };
-    const res = createRes();
-
-    dnsRebindingGuard(req as any, res as any, next);
-
-    expect(next).not.toHaveBeenCalled();
-    expect(res.statusCode).toBe(403);
-    expect(res.body).toEqual({ error: 'Forbidden' });
-  });
-});