Bug: SocketIO connect handler exposes network data without authentication #210
Description
Type
security
Severity
medium
Area
nmapui/handlers/connections.py — on_connect
Description
The SocketIO on_connect handler has no @require_socket_auth() decorator. Any client can connect and immediately receive customer_info, network_key, client_state_snapshot, and auto_scan_status data including:
- Customer names and IDs
- Network topology (hop data, gateway IPs)
- Public and private IP addresses
- Scan configuration
While request_is_local_ui() may provide mitigation for the default localhost-only deployment, if the app is ever exposed on a network interface, this leaks sensitive reconnaissance data to unauthenticated clients.
Proposed Fix
Add authentication to the connect handler or reject non-local connections:
@socketio.on("connect")
def on_connect():
if not request_is_local_ui():
auth = request.authorization
if not auth or not check_auth(auth.username, auth.password):
return False # Reject connection
# ... existing connection logicRelated Issues
#164 (Security hardening initiative)
#157 (Require auth for runtime status/log endpoints — closed)