Security: Flask backend runs on localhost but accessible to any process on the machine, allows local privilege escalation

## Problem

Flask backend bound to 127.0.0.1 but any local process can access it. Malicious app can execute scripts as the user.

---

## Recommended Solution

Use Unix socket for Electron communication:

```javascript
const net = require('net');
const fs = require('fs');

function createUnixSocket() {
  const socketPath = path.join(os.tmpdir(), `devshell-${process.pid}.sock`);
  
  // Clean up old socket
  try { fs.unlinkSync(socketPath); } catch {}
  
  return socketPath;
}

const socketPath = createUnixSocket();
const server = net.createServer();
server.listen(socketPath);
```

---

## Program Template
- [x] GSSoC '26

---

## Suggested Labels
security, privilege-escalation, ipc, gssoc-eligible
EOF
)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Flask backend runs on localhost but accessible to any process on the machine, allows local privilege escalation #209

Problem

Recommended Solution

Program Template

Suggested Labels

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security: Flask backend runs on localhost but accessible to any process on the machine, allows local privilege escalation #209

Description

Problem

Recommended Solution

Program Template

Suggested Labels

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions