Skip to content

Commit

Permalink
doc: inspector security warning for changing host
Browse files Browse the repository at this point in the history
  • Loading branch information
ChALkeR committed Oct 13, 2018
1 parent 714c1b8 commit 825dbdb
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
21 changes: 21 additions & 0 deletions doc/api/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,9 @@ Useful when activating the inspector by sending the `SIGUSR1` signal.

Default host is `127.0.0.1`.

See the [security warning](#inspector_security) below regarding the `host`
parameter usage.

### `--inspect[=[host:]port]`
<!-- YAML
added: v6.3.0
Expand All @@ -155,6 +158,22 @@ V8 inspector integration allows tools such as Chrome DevTools and IDEs to debug
and profile Node.js instances. The tools attach to Node.js instances via a
tcp port and communicate using the [Chrome DevTools Protocol][].

<a id="inspector_security"></a>
#### Warning: binding inspector to a public IP:port combination is insecure

Binding the inspector to a public IP (including `0.0.0.0`) with an open port is
insecure, as it allows third-party hosts to connect to the inspector and perform
a [remote code execution][] attack.

If you specify a host, make sure that at least one of the following is true:
either the host is not public, or the port is properly firewalled to disallow
unwanted connections.

**More specifially, `--inspect=0.0.0.0` is insecure if the port (`9229` by
default) is not firewall-protected.**

See the [debugging security implications][] section for more information.

### `--loader=file`
<!--
added: v9.0.0
Expand Down Expand Up @@ -738,6 +757,8 @@ greater than `4` (its current default value). For more information, see the
[ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage
[V8 JavaScript code coverage]: https://v8project.blogspot.com/2017/12/javascript-code-coverage.html
[debugger]: debugger.html
[debugging security implications]: https://nodejs.org/en/docs/guides/debugging-getting-started/#security-implications
[emit_warning]: process.html#process_process_emitwarning_warning_type_code_ctor
[experimental ECMAScript Module]: esm.html#esm_loader_hooks
[libuv threadpool documentation]: http://docs.libuv.org/en/latest/threadpool.html
[remote code execution]: https://www.owasp.org/index.php/Code_Injection
3 changes: 3 additions & 0 deletions doc/api/inspector.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,9 @@ started.
If wait is `true`, will block until a client has connected to the inspect port
and flow control has been passed to the debugger client.

See the [security warning](cli.html#inspector_security) regarding the `host`
parameter usage.

## inspector.url()

* Returns: {string|undefined}
Expand Down

0 comments on commit 825dbdb

Please sign in to comment.