Skip to content

Always allow requests with IP-address as host in checkHost() #1007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 27, 2017
Merged

Always allow requests with IP-address as host in checkHost() #1007

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d3fc704
Always allow requests with IP-address as host in checkHost()
usefulthink Jul 24, 2017
077337b
use 'ip'-module to handle ip-address validation.
usefulthink Jul 27, 2017
79219db
Merge branch 'master' into check-hosts-allow-ips
shellscape Jul 27, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions lib/Server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -444,6 +444,9 @@ Server.prototype.checkHost = function(headers) {
// always allow localhost host, for convience
if(hostname === "127.0.0.1" || hostname === "localhost") return true;

// always allow requests with explicit IP-address
if(/^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}$/.test(hostname)) return true;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a few more testcases, for both the valid and invalid IP cases?

Also, I wonder if a simplified regex that just checked that each octet was numeric would be simpler to read/faster/still as secure? RFC3696 section 2 says that top level domain names aren't allowed to be all-numeric, so eg 999.999.999.999 still won't be treated as a domain, so can't be used for DNS rebinding.

For example:

// Requests to explicit IP-addresses can't be exploited by DNS rebinding.
// For simplicity the regex matches numeric ranges that aren't valid IPs, but
// this is still secure since top level domain names can never be all-numeric:
// https://tools.ietf.org/html/rfc3696#section-2
if(/^([0-9]{1,3}(\.|$)){4}$/.test(hostname)) return true;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the simplicity and probably would want to do that. We don't validate other aspects of IP adress as well (reserved, multicast, etc) and I can't think of a way to have an invalid or unrouteable IP-address in the browser anyway.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see https://www.npmjs.com/package/ip and ip.isV4Format used here, rather than a regex.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about that as well, but didn't want to introduce any new dependencies for something that could be put in a simple (ok, thats arguable) regex. Is there any policy regarding adding dependencies?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the dependencies were being packaged for a production environment, I'd agree with you. Since this is strictly a development tool, tried and true dependencies to perform utility functions are acceptable. You'll see that pattern throughout the commit history. (for example; loglevel over a custom implementation).


// allow if hostname is in allowedHosts
if(this.allowedHosts && this.allowedHosts.length) {
for(let hostIdx = 0; hostIdx < this.allowedHosts.length; hostIdx++) {
Expand Down
11 changes: 11 additions & 0 deletions test/Validation.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,17 @@ describe("Validation", function() {
}
});

it("should allow access for every requests using an IP", function() {
const options = {};
const headers = {
host: "192.168.1.123"
};
const server = new Server(compiler, options);
if(!server.checkHost(headers)) {
throw new Error("Validation didn't fail");
}
});

it("should not allow hostnames that don't match options.public", function() {
const options = {
public: "test.host:80",
Expand Down