Skip to content

Commit

Permalink
lib: add warning when binding inspector to public IP
Browse files Browse the repository at this point in the history
Add `isLoopback` function to `internal/net` module to check if a given
host is a loopback address.

Add a warning when binding the inspector to a public IP with an open
port, as it allows external hosts to connect to the inspector.

Fixes: nodejs#23444
Refs: https://nodejs.org/api/cli.html#--inspecthostport
  • Loading branch information
DemianParkhomenko committed Nov 5, 2024
1 parent 03dcd70 commit 847aaae
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 0 deletions.
12 changes: 12 additions & 0 deletions lib/inspector.js
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ const {
ERR_INSPECTOR_NOT_WORKER,
} = require('internal/errors').codes;

const { isLoopback } = require('internal/net');

const { hasInspector } = internalBinding('config');
if (!hasInspector)
throw new ERR_INSPECTOR_NOT_AVAILABLE();
Expand Down Expand Up @@ -171,6 +173,16 @@ function inspectorOpen(port, host, wait) {
if (isUint32(port)) {
validateInt32(port, 'port', 0, 65535);
}
if (host && !isLoopback(host)) {
process.emitWarning(
'Binding the inspector to a public IP with an open port is insecure, ',
'as it allows external hosts to connect to the inspector ',
'and perform a remote code execution attack.',
'Documentation can be found at ' +
'https://nodejs.org/api/cli.html#--inspecthostport',
);
}

open(port, host);
if (wait)
waitForDebugger();
Expand Down
12 changes: 12 additions & 0 deletions lib/internal/net.js
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,23 @@ function makeSyncWrite(fd) {
};
}

function isLoopback(host) {
const hostLower = host.toLowerCase();

return (
hostLower === 'localhost' ||
hostLower.startsWith('127.') ||
hostLower.startsWith('[::1]') ||
hostLower.startsWith('[0:0:0:0:0:0:0:1]')
);
}

module.exports = {
kReinitializeHandle: Symbol('kReinitializeHandle'),
isIP,
isIPv4,
isIPv6,
makeSyncWrite,
normalizedArgsSymbol: Symbol('normalizedArgs'),
isLoopback,
};
32 changes: 32 additions & 0 deletions test/parallel/test-internal-net-isLoopback.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
// Flags: --expose-internals
'use strict';
require('../common');
const assert = require('assert');
const net = require('internal/net');

const loopback = [
'localhost',
'127.0.0.1',
'127.0.0.255',
'127.1.2.3',
'[::1]',
'[0:0:0:0:0:0:0:1]',
];

const loopbackNot = [
'example.com',
'192.168.1.1',
'10.0.0.1',
'255.255.255.255',
'[2001:db8::1]',
'[fe80::1]',
'8.8.8.8',
];

for (const address of loopback) {
assert.strictEqual(net.isLoopback(address), true);
}

for (const address of loopbackNot) {
assert.strictEqual(net.isLoopback(address), false);
}

0 comments on commit 847aaae

Please sign in to comment.