fix(dashboard): remove X-Real-IP trust from localhost-only guards (PILOT-301)

[matthew-pilot]

What failed

The localhostOnly middleware and the inline checks in /api/nodes and /api/snapshot handlers all trusted the X-Real-IP header when RemoteAddr was loopback. In a typical reverse-proxy setup where nginx runs on the same host as the rendezvous, an attacker reaching the proxy from anywhere could send X-Real-IP: 127.0.0.1 and bypass the localhost gate, gaining access to:

• /api/nodes — node listing with addresses and hostnames
• /api/snapshot — snapshot trigger
• /metrics — Prometheus metrics
• /debug/pprof/* — profiling endpoints

The fix

Remove X-Real-IP entirely from the localhost check. The only thing that matters is the actual TCP peer address (RemoteAddr). If RemoteAddr is loopback, the request is local — regardless of header claims. X-Real-IP can be set by anyone and must not be trusted for access-control decisions.

Files changed

• dashboard/dashboard.go — simplified localhostOnly helper, /api/nodes, and /api/snapshot handlers
• dashboard/zz_more_test.go — renamed TestLocalhostOnly_HonorsXRealIP to TestLocalhostOnly_IgnoresXRealIP with inverted assertion

Verification

go build ./...   # ✅ clean
go vet ./...     # ✅ clean
go test ./...    # ✅ all packages pass (dashboard: 3.0s)

Closes PILOT-301

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[matthew-pilot]

🤖 PR Status (matthew-pr-worker)

PR: #24 — fix(dashboard): remove X-Real-IP trust from localhost-only guards (PILOT-301)
State: OPEN · Mergeable: ✅ CLEAN
Branch: openclaw/pilot-301-20260530-180148 → main

CI Checks (2/2 passing ✅)

Check	Result
test	✅ passed (1m0s)
codecov/patch	✅ passed

Diff Stats

• Files: 2 (dashboard/dashboard.go, dashboard/zz_more_test.go)
• Changes: +9 / −28 (37 Δ)
• Labels: none
• Canary: not-configured (security fix — headers/authz)

Classification

Wave 1 · Action: pr-status + pr-explain · Tier: small

---

matthew-pr-worker tick 2026-05-30T18:20Z

[matthew-pilot]

🤖 PR Explain (matthew-pr-worker)

What this PR does (PILOT-301)

Problem: The localhostOnly middleware + inline guards in /api/nodes and /api/snapshot handlers were trusting X-Real-IP when RemoteAddr was loopback. In a reverse-proxy setup (nginx on same host), a remote attacker could send X-Real-IP: 127.0.0.1 and bypass the localhost gate entirely — gaining access to node listings, snapshot triggers, Prometheus metrics, and pprof endpoints.

Fix: Remove X-Real-IP from all three access-control decision points. The only trusted signal is the actual TCP peer address (RemoteAddr). If it's loopback, the request is local — header claims don't matter.

Walkthrough

File	Δ	What changed
dashboard/dashboard.go	+3/−22	Simplified localhostOnly helper: removed the 6-line X-Real-IP extraction block. Same pattern removed from /api/nodes and /api/snapshot inline guards (2× each). Net: remove 3 copies of the same trust-the-header anti-pattern.
dashboard/zz_more_test.go	+6/−6	Renamed TestLocalhostOnly_HonorsXRealIP → TestLocalhostOnly_IgnoresXRealIP. Inverted the assertion: requests from loopback with X-Real-IP: 8.8.8.8 should now be allowed (the remote header is not trusted), not blocked.

Security implication

This was a real access-control bypass. X-Real-IP is set by the upstream proxy (nginx/traefik), and on same-host deployments the proxy can be reached remotely. An attacker who can connect to the proxy port but sets a loopback X-Real-IP header gets localhost-only endpoint access. The fix is correct: authz based on RemoteAddr only.

Scope

• Tier: small (2 files, +9/−28)
• Verdict: ✅ fix is sound — removes untrusted input from authz decisions

---

matthew-pr-worker tick 2026-05-30T18:20Z

[matthew-pilot]

🤖 PR Status Check

PR #24: fix(dashboard): remove X-Real-IP trust from localhost-only guards (PILOT-301)
State: open | Mergeable: MERGEABLE (clean) ✅
CI: 2/2 ✅ all passing
Changes: +9/−28 in 2 file(s)
Labels: (none)

---

matthew-pr-worker • 2026-05-31T11:58:00Z

[matthew-pilot]

🤖 PR Explanation

fix(dashboard): remove X-Real-IP trust from localhost-only guards (PILOT-301)

Summary

What failed

The localhostOnly middleware and the inline checks in /api/nodes and /api/snapshot handlers all trusted the X-Real-IP header when RemoteAddr was loopback. In a typical reverse-proxy setup where nginx runs on the same host as the rendezvous, an attacker reaching the proxy from anywhere could send X-Real-IP: 127.0.0.1 and bypass the localhost gate, gaining access to:

• /api/nodes — node listing with addresses and hostnames
• /api/snapshot — snapshot trigger
• `/metri...

Changes

+9/−28 lines across 2 file(s):

• dashboard/dashboard.go (+3/−22): clientIP := remoteIP
• dashboard/zz_more_test.go (+6/−6): func TestLocalhostOnly_HonorsXRealIPFromLocalhost(t *testing.T) {

Files Changed

dashboard/dashboard.go, dashboard/zz_more_test.go

---

matthew-pr-worker • 2026-05-31T11:58:00Z