From 583d5afa5eb64d562d5f1d395f7fbe5a90eeab98 Mon Sep 17 00:00:00 2001
From: Eugene Ostroukhov <eostroukhov@google.com>
Date: Mon, 26 Mar 2018 11:55:35 -0700
Subject: [PATCH] inspector: do not allow host names
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs-private/node-private/pull/102/
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
---
 src/inspector_socket.cc | 35 +++--------------------------------
 1 file changed, 3 insertions(+), 32 deletions(-)

diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
index 191ed5b0e5bd0d..b3a810d99c31ed 100644
--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
@@ -141,8 +141,6 @@ static void remove_from_beginning(std::vector<char>* buffer, size_t count) {
   buffer->erase(buffer->begin(), buffer->begin() + count);
 }
 
-// Cleanup
-
 static const char CLOSE_FRAME[] = {'\x88', '\x00'};
 
 enum ws_decode_result {
@@ -160,15 +158,6 @@ static void generate_accept_string(const std::string& client_key,
   node::base64_encode(hash, sizeof(hash), *buffer, sizeof(*buffer));
 }
 
-static bool IsOneOf(const std::string& host,
-                    const std::vector<std::string>& hosts) {
-  for (const std::string& candidate : hosts) {
-    if (node::StringEqualNoCase(host.data(), candidate.data()))
-      return true;
-  }
-  return false;
-}
-
 static std::string TrimPort(const std::string& host) {
   size_t last_colon_pos = host.rfind(":");
   if (last_colon_pos == std::string::npos)
@@ -192,16 +181,6 @@ static bool IsIPAddress(const std::string& host) {
   return quads == 3;
 }
 
-// This is a value coming from the interface, it can only be IPv4 or IPv6
-// address string.
-static bool IsIPv4Localhost(const std::string& host) {
-  std::string v6_tunnel_prefix = "::ffff:";
-  if (host.substr(0, v6_tunnel_prefix.length()) == v6_tunnel_prefix)
-    return IsIPv4Localhost(host.substr(v6_tunnel_prefix.length()));
-  std::string localhost_net = "127.";
-  return host.substr(0, localhost_net.length()) == localhost_net;
-}
-
 // Constants for hybi-10 frame format.
 
 typedef int OpCode;
@@ -600,17 +579,9 @@ class HttpHandler : public ProtocolHandler {
 
   bool IsAllowedHost(const std::string& host_with_port) const {
     std::string host = TrimPort(host_with_port);
-    if (host.empty())
-      return false;
-    if (IsIPAddress(host))
-       return true;
-    std::string socket_host = GetHost();
-    if (IsIPv4Localhost(socket_host)) {
-      return IsOneOf(host, { "localhost" });
-    } else if (socket_host == "::1") {
-      return IsOneOf(host, { "localhost", "localhost6" });
-    }
-    return true;
+    return host.empty() || IsIPAddress(host)
+           || node::StringEqualNoCase(host.data(), "localhost")
+           || node::StringEqualNoCase(host.data(), "localhost6");
   }
 
   bool parsing_value_;