net: validate custom lookup() output

This commit adds validation to the IP address returned by the net module's custom DNS lookup() function.
nodejs · Aug 18, 2020 · 2b8851c · 2b8851c
1 parent 0eca660
commit 2b8851c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/lib/net.js b/lib/net.js
@@ -1039,6 +1039,9 @@ function lookupAndConnect(self, options) {
         // calls net.Socket.connect() on it (that's us). There are no event
         // listeners registered yet so defer the error event to the next tick.
         process.nextTick(connectErrorNT, self, err);
+      } else if (!isIP(ip)) {
+        err = new ERR_INVALID_IP_ADDRESS(ip);
+        process.nextTick(connectErrorNT, self, err);
       } else if (addressType !== 4 && addressType !== 6) {
         err = new ERR_INVALID_ADDRESS_FAMILY(addressType,
                                              options.host,

diff --git a/test/parallel/test-net-dns-custom-lookup.js b/test/parallel/test-net-dns-custom-lookup.js
@@ -41,3 +41,14 @@ function check(addressType, cb) {
 check(4, function() {
   common.hasIPv6 && check(6);
 });
+
+// Verify that bad lookup() IPs are handled.
+{
+  net.connect({
+    host: 'localhost',
+    port: 80,
+    lookup(host, dnsopts, cb) {
+      cb(null, undefined, 4);
+    }
+  }).on('error', common.expectsError({ code: 'ERR_INVALID_IP_ADDRESS' }));
+}