From d3fc704b960f3d811eb8818533a21485b4527122 Mon Sep 17 00:00:00 2001 From: Martin Schuhfuss Date: Mon, 24 Jul 2017 11:47:16 +0200 Subject: [PATCH 1/2] Always allow requests with IP-address as host in checkHost() This patch will allow any requests made using an IP-address to always pass the checkHost-test. IP-addresses are not susceptible to a dns-rebind like attack so it would make sense to not block them to make local-network development possible without needing to disable the host-checks entirely. fixes #931 --- lib/Server.js | 3 +++ test/Validation.test.js | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/lib/Server.js b/lib/Server.js index ee1bf43997..1e20a2a236 100644 --- a/lib/Server.js +++ b/lib/Server.js @@ -444,6 +444,9 @@ Server.prototype.checkHost = function(headers) { // always allow localhost host, for convience if(hostname === "127.0.0.1" || hostname === "localhost") return true; + // always allow requests with explicit IP-address + if(/^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}$/.test(hostname)) return true; + // allow if hostname is in allowedHosts if(this.allowedHosts && this.allowedHosts.length) { for(let hostIdx = 0; hostIdx < this.allowedHosts.length; hostIdx++) { diff --git a/test/Validation.test.js b/test/Validation.test.js index e7f28bb1af..8da8b29815 100644 --- a/test/Validation.test.js +++ b/test/Validation.test.js @@ -111,6 +111,17 @@ describe("Validation", function() { } }); + it("should allow access for every requests using an IP", function() { + const options = {}; + const headers = { + host: "192.168.1.123" + }; + const server = new Server(compiler, options); + if(!server.checkHost(headers)) { + throw new Error("Validation didn't fail"); + } + }); + it("should not allow hostnames that don't match options.public", function() { const options = { public: "test.host:80", From 077337bc4f5a983aec690d34eeecc4d60a8234ac Mon Sep 17 00:00:00 2001 From: Martin Schuhfuss Date: Thu, 27 Jul 2017 14:00:35 +0200 Subject: [PATCH 2/2] use 'ip'-module to handle ip-address validation. As per @shellscape's comment, switch to the [ip](https://npmjs.com/package/ip)-module to do validation of ip-address-format. --- lib/Server.js | 9 +++++---- package.json | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/Server.js b/lib/Server.js index 1e20a2a236..0805d8b910 100644 --- a/lib/Server.js +++ b/lib/Server.js @@ -7,6 +7,7 @@ const express = require("express"); const fs = require("fs"); const http = require("http"); const httpProxyMiddleware = require("http-proxy-middleware"); +const ip = require("ip"); const serveIndex = require("serve-index"); const historyApiFallback = require("connect-history-api-fallback"); const path = require("path"); @@ -441,11 +442,11 @@ Server.prototype.checkHost = function(headers) { const idx = hostHeader.indexOf(":"); const hostname = idx >= 0 ? hostHeader.substr(0, idx) : hostHeader; - // always allow localhost host, for convience - if(hostname === "127.0.0.1" || hostname === "localhost") return true; - // always allow requests with explicit IP-address - if(/^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}$/.test(hostname)) return true; + if(ip.isV4Format(hostname)) return true; + + // always allow localhost host, for convience + if(hostname === "localhost") return true; // allow if hostname is in allowedHosts if(this.allowedHosts && this.allowedHosts.length) { diff --git a/package.json b/package.json index 9bfa4ee4fb..9cb4e3ee26 100644 --- a/package.json +++ b/package.json @@ -17,6 +17,7 @@ "html-entities": "^1.2.0", "http-proxy-middleware": "~0.17.4", "internal-ip": "^1.2.0", + "ip": "^1.1.5", "loglevel": "^1.4.1", "opn": "4.0.2", "portfinder": "^1.0.9",