Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

inspector: report client-visible host and port #19664

Merged
merged 1 commit into from
Apr 2, 2018
Merged

inspector: report client-visible host and port #19664

merged 1 commit into from
Apr 2, 2018

Conversation

eugeneo
Copy link
Contributor

@eugeneo eugeneo commented Mar 28, 2018

Node instance may not know the real host and port user sees when
debug frontend connects through the SSH tunnel. This change fixes
'/json/list' response by using the value client provided in the host
header.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. labels Mar 28, 2018
}
std::string FormatAddress(const std::string& host,
const std::string& target_id,
bool include_protocol) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you line these two arguments up with the first one.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

@TimothyGu
Copy link
Member

I’m not sure what to feel about this. It feels almost like an XSS vector, but using HTTP headers.

@eugeneo
Copy link
Contributor Author

eugeneo commented Mar 30, 2018

I’m not sure what to feel about this. It feels almost like an XSS vector, but using HTTP headers.

Can you clarify? In my opinion, it is the opposite - less information (that the remote party may not already know) is provided. Before this patch, the response would show an actual IP in case of remote connection.

@TimothyGu
Copy link
Member

Fair enough.

@eugeneo
Copy link
Contributor Author

eugeneo commented Mar 30, 2018

@eugeneo
Copy link
Contributor Author

eugeneo commented Apr 2, 2018

Did a second CI run: https://ci.nodejs.org/job/node-test-commit/17358/ No relevant failures detected (one failure from the first run was not detected in the second run and seems unlikely to have been caused by the change)

Node instance may not know the real host and port user sees when
debug frontend connects through the SSH tunnel. This change fixes
'/json/list' response by using the value client provided in the host
header.

PR-URL: #19664
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
@eugeneo eugeneo merged commit a9a1f12 into nodejs:master Apr 2, 2018
@eugeneo eugeneo deleted the report-host-port branch April 2, 2018 17:23
targos pushed a commit that referenced this pull request Apr 2, 2018
Node instance may not know the real host and port user sees when
debug frontend connects through the SSH tunnel. This change fixes
'/json/list' response by using the value client provided in the host
header.

PR-URL: #19664
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
@targos targos mentioned this pull request Apr 4, 2018
@TimothyGu TimothyGu added the inspector Issues and PRs related to the V8 inspector protocol label Apr 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. inspector Issues and PRs related to the V8 inspector protocol lib / src Issues and PRs related to general changes in the lib or src directory.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants