Security
mountebank is programmable through injection. This makes
the tool very extensible and flexible, but it should only be used with an understanding of the
security implications. When you enable the --allowInjection
flag, you aren't just giving yourself the ability to extend mountebank: you're also potentially enabling
attackers remote execution capabilities on your machine.
mountebank highly recommends you take the following approaches to securing your environment if you
require --allowInjection
:
- ALWAYS run
mb
as an unprivileged user - If possible, set the
--localOnly
flag to only accept requests from localhost. There's no reason not to do this when running directly (e.g., not inside Docker or a VM) on your local developer machine. - Whitelist all IP addresses allowed to connect to mountebank by setting the
--ipWhitelist
flag. - Consider using a local OS level firewall like iptables
- Consider running
mb
in a Docker environment or under achroot
operation to prevent access to the full filesystem
The most secure option, of course, is to simply not use the --allowInjection
flag.
If there are common operations you find yourself using injection for, feel free to suggest those operations
as core features in a future release of mountebank.
By default, CORS is disabled to prevent CSRF attacks. To enable, you must explicitly pass safe origins
on the command line using the --origin
flag.