Skip to content

Commit

Permalink
inspector: do not allow host names
Browse files Browse the repository at this point in the history
PR-URL: https://github.com/nodejs-private/node-private/pull/102/
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
  • Loading branch information
eugeneo authored and MylesBorins committed Mar 28, 2018
1 parent fc1a610 commit 583d5af
Showing 1 changed file with 3 additions and 32 deletions.
35 changes: 3 additions & 32 deletions src/inspector_socket.cc
Original file line number Diff line number Diff line change
Expand Up @@ -141,8 +141,6 @@ static void remove_from_beginning(std::vector<char>* buffer, size_t count) {
buffer->erase(buffer->begin(), buffer->begin() + count);
}

// Cleanup

static const char CLOSE_FRAME[] = {'\x88', '\x00'};

enum ws_decode_result {
Expand All @@ -160,15 +158,6 @@ static void generate_accept_string(const std::string& client_key,
node::base64_encode(hash, sizeof(hash), *buffer, sizeof(*buffer));
}

static bool IsOneOf(const std::string& host,
const std::vector<std::string>& hosts) {
for (const std::string& candidate : hosts) {
if (node::StringEqualNoCase(host.data(), candidate.data()))
return true;
}
return false;
}

static std::string TrimPort(const std::string& host) {
size_t last_colon_pos = host.rfind(":");
if (last_colon_pos == std::string::npos)
Expand All @@ -192,16 +181,6 @@ static bool IsIPAddress(const std::string& host) {
return quads == 3;
}

// This is a value coming from the interface, it can only be IPv4 or IPv6
// address string.
static bool IsIPv4Localhost(const std::string& host) {
std::string v6_tunnel_prefix = "::ffff:";
if (host.substr(0, v6_tunnel_prefix.length()) == v6_tunnel_prefix)
return IsIPv4Localhost(host.substr(v6_tunnel_prefix.length()));
std::string localhost_net = "127.";
return host.substr(0, localhost_net.length()) == localhost_net;
}

// Constants for hybi-10 frame format.

typedef int OpCode;
Expand Down Expand Up @@ -600,17 +579,9 @@ class HttpHandler : public ProtocolHandler {

bool IsAllowedHost(const std::string& host_with_port) const {
std::string host = TrimPort(host_with_port);
if (host.empty())
return false;
if (IsIPAddress(host))
return true;
std::string socket_host = GetHost();
if (IsIPv4Localhost(socket_host)) {
return IsOneOf(host, { "localhost" });
} else if (socket_host == "::1") {
return IsOneOf(host, { "localhost", "localhost6" });
}
return true;
return host.empty() || IsIPAddress(host)
|| node::StringEqualNoCase(host.data(), "localhost")
|| node::StringEqualNoCase(host.data(), "localhost6");
}

bool parsing_value_;
Expand Down

0 comments on commit 583d5af

Please sign in to comment.