From 7903f944ec385ef63c7fcc59872932a3926878b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de> Date: Sun, 6 Nov 2022 23:08:59 +0100 Subject: [PATCH] src: resolve TODO related to inspector CVEs This was not done before the security release because the latest CVE was not known at the time. PR-URL: https://github.com/nodejs/node/pull/45341 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> --- src/inspector_socket.cc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc index 8001d893e1fdcc..2c29ff04b25e69 100644 --- a/src/inspector_socket.cc +++ b/src/inspector_socket.cc @@ -162,11 +162,10 @@ static std::string TrimPort(const std::string& host) { } static bool IsIPAddress(const std::string& host) { - // TODO(tniessen): add CVEs to the following bullet points // To avoid DNS rebinding attacks, we are aware of the following requirements: - // * the host name must be an IP address, - // * the IP address must be routable, and - // * the IP address must be formatted unambiguously. + // * the host name must be an IP address (CVE-2018-7160, CVE-2022-32212), + // * the IP address must be routable (hackerone.com/reports/1632921), and + // * the IP address must be formatted unambiguously (CVE-2022-43548). // The logic below assumes that the string is null-terminated, so ensure that // we did not somehow end up with null characters within the string.