-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn on potentially insecure inspector options (--inspect=0.0.0.0) #23444
Comments
can I work on this one ? |
@nik72619c Sure! Documentation change is in #23640, the warning part is free to be taken atm. I was thinking about:
Loopback: 127.0.0.0 — 127.255.255.255. There are more special address blocks, but those are unlikely to be observed, so just falling back to «public» and printing a corresponding warning should be fine imo. I can mentor that. |
@nik72619c are you still working on this? If not I'm happy to take over. |
Refs: nodejs#23444 Refs: nodejs#21774 PR-URL: nodejs#23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Add `isLoopback` function to `internal/net` module to check if a given host is a loopback address. Add a warning when binding the inspector to a public IP with an open port, as it allows external hosts to connect to the inspector. Fixes: nodejs#23444 Refs: https://nodejs.org/api/cli.html#--inspecthostport
Extracted from #21774.
Inspector by default is bound to 127.0.0.1, but suggestion to launch it with
--inspect=0.0.0.0
is highly copy-pasted without proper understanding what it does. I've observed that personally in chats, also see google.Binding inspector to 0.0.0.0 (in fact, to anything but the loopback interface ip) allows RCE, which could be catastrophic in cases where the IP is public. The users should be informed of that.
A warning printed to the console (with corresponding documentation change) should at least somewhat mitigate this.
Note: the doc change and the c++ change can come separately.
The text was updated successfully, but these errors were encountered: