Nodejs/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 10:59:27 +00:00
Code Issues Actions 25 Packages Projects Releases Wiki Activity

src: resolve TODO related to inspector CVEs

Browse Source 
This was not done before the security release because the latest CVE was
not known at the time.

PR-URL: https://github.com/nodejs/node/pull/45341
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This commit is contained in:
Tobias Nießen 2022-11-06 23:08:59 +01:00 committed by GitHub
parent e14321bb50
commit 7903f944ec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/inspector_socket.cc
View File

@ -162,11 +162,10 @@ static std::string TrimPort(const std::string& host) {
}
static bool IsIPAddress(const std::string& host) {
// TODO(tniessen): add CVEs to the following bullet points
// To avoid DNS rebinding attacks, we are aware of the following requirements:
// * the host name must be an IP address,
// * the IP address must be routable, and
// * the IP address must be formatted unambiguously.
// * the host name must be an IP address (CVE-2018-7160, CVE-2022-32212),
// * the IP address must be routable (hackerone.com/reports/1632921), and
// * the IP address must be formatted unambiguously (CVE-2022-43548).
// The logic below assumes that the string is null-terminated, so ensure that
// we did not somehow end up with null characters within the string.