Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lib: add warning when binding inspector to public IP #55736

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

lib: add warning when binding inspector to public IP #55736

wants to merge 1 commit into from
+56 −0

Conversation

DemianParkhomenko
Copy link

@DemianParkhomenko DemianParkhomenko commented Nov 5, 2024
edited
Loading

Add isLoopback function to internal/net module to check if a given host is a loopback address.

Add a warning when binding the inspector to a public IP with an open port, as it allows external hosts to connect to the inspector.

Fixes: #23444
Refs: https://nodejs.org/api/cli.html#--inspecthostport IANA IPv4 Special-Purpose Address Registry
 IANA IPv6 Special-Purpose Address Registry
 Special-Use Domain Names

@DemianParkhomenko
lib: add warning when binding inspector to public IP
847aaae 
Add `isLoopback` function to `internal/net` module to check if a given
host is a loopback address.

Add a warning when binding the inspector to a public IP with an open
port, as it allows external hosts to connect to the inspector.

Fixes: nodejs#23444
Refs: https://nodejs.org/api/cli.html#--inspecthostport
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added inspector Issues and PRs related to the V8 inspector protocol needs-ci PRs that need a full CI run. net Issues and PRs related to the net subsystem. labels Nov 5, 2024
anonrig
anonrig reviewed Nov 5, 2024
View reviewed changes
test/parallel/test-internal-net-isLoopback.js
}

for (const address of loopbackNot) {
assert.strictEqual(net.isLoopback(address), false);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should test the warning not this particular function.

RedYetiDev
RedYetiDev reviewed Nov 6, 2024
View reviewed changes
lib/internal/net.js
Comment on lines +71 to +80
function isLoopback(host) {
const hostLower = host.toLowerCase();

return (
hostLower === 'localhost' ||
hostLower.startsWith('127.') ||
hostLower.startsWith('[::1]') ||
hostLower.startsWith('[0:0:0:0:0:0:0:1]')
);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a source for this information?

What about 0.0.0.0 addresses?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml

What about 0.0.0.0 addresses?

According to my understanding 0.0.0.0 should not be considered as loopback address.

https://en.wikipedia.org/wiki/0.0.0.0
https://www.rfc-editor.org/rfc/rfc1122.html

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the info! IMO you should add a comment with the IANA links for reference

LiviaMedeiros
LiviaMedeiros reviewed Nov 6, 2024
View reviewed changes
test/parallel/test-internal-net-isLoopback.js
Comment on lines +18 to +19
'192.168.1.1',
'10.0.0.1',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we really warn for these? IMHO binding to IP in private subnet is usually fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LiviaMedeiros LiviaMedeiros LiviaMedeiros left review comments

@RedYetiDev RedYetiDev RedYetiDev left review comments

@anonrig anonrig anonrig left review comments

Assignees
No one assigned
Labels
inspector Issues and PRs related to the V8 inspector protocol needs-ci PRs that need a full CI run. net Issues and PRs related to the net subsystem.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Warn on potentially insecure inspector options (--inspect=0.0.0.0)
5 participants
@DemianParkhomenko @nodejs-github-bot @anonrig @RedYetiDev @LiviaMedeiros