Merge branch 'security/host-check-webpack-1' into webpack-1

Author: sokra

client/index.js

@@ -82,6 +82,9 @@ var onSocketMsg = {
 			log("error", stripAnsi(errors[i]));
 		if(initial) return initial = false;
 	},
+	error: function(error) {
+		console.error(error);
+	},
 	close: function() {
 		log("error", "[WDS] Disconnected!");
 	}

lib/Server.js

@@ -22,6 +22,8 @@ function Server(compiler, options) {
 	this.hot = options.hot;
 	this.headers = options.headers;
 	this.clientLogLevel = options.clientLogLevel;
+	this.disableHostCheck = !!options.disableHostCheck;
+	this.publicHost = options.public;
 	this.sockets = [];
 
 	// Listening for events
@@ -50,6 +52,12 @@ function Server(compiler, options) {
 	// Init express server
 	var app = this.app = new express();
 
+	app.all("*", (req, res, next) => {
+		if(this.checkHost(req.headers))
+			return next();
+		res.send("Invalid Host header");
+	});
+
 	// middleware for serving webpack bundle
 	this.middleware = webpackDevMiddleware(compiler, options);
 
@@ -319,8 +327,37 @@ Server.prototype.setContentHeaders = function(req, res, next) {
 	next();
 }
 
+Server.prototype.checkHost = function(headers) {
+	// allow user to opt-out this security check, at own risk
+	if(this.disableHostCheck) return true;
+
+	// get the Host header and extract hostname
+	// we don't care about port not matching
+	const hostHeader = headers.host;
+	if(!hostHeader) return false;
+	const idx = hostHeader.indexOf(":");
+	const hostname = idx >= 0 ? hostHeader.substr(0, idx) : hostHeader;
+
+	// always allow localhost host, for convience
+	if(hostname === "127.0.0.1" || hostname === "localhost") return true;
+
+	// allow hostname of listening adress
+	if(hostname === this.listenHostname) return true;
+
+	// also allow public hostname if provided
+	if(typeof this.publicHost === "string") {
+		const idxPublic = this.publicHost.indexOf(":");
+		const publicHostname = idxPublic >= 0 ? this.publicHost.substr(0, idx) : this.publicHost;
+		if(hostname === publicHostname) return true;
+	}
+
+	// disallow
+	return false;
+}
+
 // delegate listen call and init sockjs
-Server.prototype.listen = function() {
+Server.prototype.listen = function(port, hostname) {
+	this.listenHostname = hostname;
 	this.listeningApp.listen.apply(this.listeningApp, arguments);
 	var sockServer = sockjs.createServer({
 		// Limit useless logs
@@ -332,6 +369,11 @@ Server.prototype.listen = function() {
 	});
 	sockServer.on("connection", function(conn) {
 		if(!conn) return;
+		if(!this.checkHost(conn.headers)) {
+			this.sockWrite([conn], "error", "Invalid Host header");
+			conn.close();
+			return;
+		}
 		this.sockets.push(conn);
 
 		conn.on("close", function() {

package.json

@@ -18,7 +18,7 @@
     "stream-cache": "~0.0.1",
     "strip-ansi": "^3.0.0",
     "supports-color": "^3.1.1",
-    "webpack-dev-middleware": "^1.4.0",
+    "webpack-dev-middleware": "^1.10.2",
     "http-proxy-middleware": "~0.17.1"
   },
   "devDependencies": {