Skip to content

Insecure defaults: binds 0.0.0.0 with authentication disabled, exposing account data and /connection/login #49

Description

@dceoy

Problem

The out-of-the-box configuration is insecure: the server binds to all interfaces (0.0.0.0) while authentication is disabled unless MT5API_SECRET_KEY is set. A default python -m mt5api run therefore exposes trading-account data and terminal control to the whole network segment, with no warning at startup.

Evidence

  • mt5api/constants.py:27: DEFAULT_API_HOST = "0.0.0.0" # noqa: S104 — the bandit warning for binding all interfaces is explicitly suppressed rather than addressed.
  • mt5api/auth.py:17,30-32 + mt5api/config.py:116-122: auth is enabled only when MT5API_SECRET_KEY is set; otherwise verify_api_key allows every request.
  • README / docs/index.md:45 / docs/api/rest-api.md:31 present the key as "Optional: omit to disable auth" and even show uvicorn mt5api.main:app --host 0.0.0.0 as the copy-paste run command, without warning about the combination.
  • Unauthenticated surface includes GET /account (balance/equity), POST /order/check, and notably POST /connection/login (mt5api/routers/connection.py), which lets any network client re-point the running terminal at attacker-supplied credentials or brute-force account logins through the terminal.
  • The "Security Checklist" in docs/api/rest-api.md:325-334 covers HTTPS/rate limiting but never mentions host binding or that /connection/login is exposed when auth is off.

Impact

On a typical deployment (Windows desktop running a logged-in MT5 terminal on an office/home LAN), anyone on the network can read account financials and hijack the terminal session. The failure mode is silent — nothing in logs indicates the API is running wide open.

Suggested fix

Defense-in-depth for defaults, without breaking intentional deployments:

  • Change DEFAULT_API_HOST to 127.0.0.1; require an explicit MT5API_HOST=0.0.0.0 (documented) to expose the API beyond loopback.
  • Log a prominent startup warning when auth is disabled, and consider refusing to start (or requiring an explicit opt-out env var) when auth is disabled and the bind address is non-loopback.
  • Update README / docs/api/rest-api.md security checklist accordingly (bind address guidance; call out /connection/login exposure).

Validation

  • Unit tests for the new default host and the warning/guard path.
  • Manual: python -m mt5api with no env vars binds to 127.0.0.1:8000; setting MT5API_HOST=0.0.0.0 without a secret key produces the documented warning/refusal.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions