You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
beacon: prober dials a curated allowlist only; default daily
Security (safe-then-expand): the prober no longer reads the harvested
relays directory for targets — that set is attacker-influenceable (anyone
can publish a relay list we harvest), which would let the prober be used
to dial arbitrary external hosts. It now dials ONLY a small built-in
allowlist of well-known relays, expandable via PROBE_RELAYS.
- src/prober.js: DEFAULT_PROBE_RELAYS + proberRelays(env); sweepOnce uses
it (drops the db.relays.find target query); all entries screened via
safeRelayUrl. Default interval 1h -> 24h (daily). USAGE updated.
- .env.example: document PROBE_RELAYS + daily default.
- tests: proberRelays (default allowlist; PROBE_RELAYS override drops
loopback/junk) + interval default 86400000. npm test 64/64.
Live --once: writes exactly the 8 allowlist relays, none from the directory.
Closes#27
0 commit comments