-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
src: add security warning when inspector is running on public network #23756
Conversation
I'm not sure its worth distinguishing between private and public networks - most "public" networks, such as Cafes, are going to use private IPs. The localhost vs external access distinction is, I think, the most important, and a dire warning about external machines being able to access the inspector port should get the point across. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
like sam said, I think the actual distinction here needs to be external vs internal interface
09eecc2
to
a8be9c1
Compare
@@ -155,6 +155,19 @@ | |||
}); | |||
process.argv[0] = process.execPath; | |||
|
|||
// Handle inspector security warning | |||
const debugOptions = process.binding('config').debugOptions; | |||
if (debugOptions.host !== '127.0.0.1') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about other loopback addresses? What about IPv6?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is just a guard against default value that is here, even when the user does not run node with inspect parameter
public: 'PUBLIC' | ||
}; | ||
|
||
function isValidIpV4(parts) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already have this kind of functionality in core, it would be better to just reuse that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mind pointing out where it is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@slonka I believe you can find this kind of validation on internal/net.js
Lines 25 to 37 in 2f1c356
function isIPv4(s) { | |
return IPv4Reg.test(s); | |
} | |
function isIPv6(s) { | |
return IPv6Reg.test(s); | |
} | |
function isIP(s) { | |
if (isIPv4(s)) return 4; | |
if (isIPv6(s)) return 6; | |
return 0; | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that this should instead be about loopback vs non-loopback. Also as mentioned inline, there is missing IPv6 support and missing support for other loopback addresses.
@mscdex @mscdex @devsnek
I supposed the difference between warnings A and B be subtle, just to provide more details to users, as in some situations |
return ''; | ||
} else if (range === IP_RANGES.private) { | ||
return 'Inspector: you are running inspector on a private network. ' + | ||
'Make sure you trust all the hosts on this network ' + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This warning does not describe the actual implications and doesn't tell the user what the actual problem is.
How about
In case if port ${port} is not filtered on your machine by a firewall, anyone in the same
private network ${subnet} could access your setup and perform a remote code execution.
Subnet could be taken from os.networkInterfaces()
.
a8be9c1
to
71a1a00
Compare
@slonka - can you address the review comments? |
I will after new years, sorry for the delay. |
8ae28ff
to
2935f72
Compare
There's been no further activity here. Recommending closing if it does not move forward soon |
Closing. Can reopen if someone decides to pick this back up |
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesHi, this is an attempt to fix #23444 it's not complete but I wanted to know if I'm even heading in the right direction.