Merge branch 'security/host-check'

sokra · sokra · commit f3a4ac6db1da · 2017-04-22T11:59:01.000+02:00
diff --git a/client/index.js b/client/index.js
@@ -119,6 +119,9 @@ var onSocketMsg = {
 			console.error(strippedErrors[i]);
 		if(useErrorOverlay) overlay.showMessage(errors);
 	},
+	error: function(error) {
+		console.error(error);
+	},
 	close: function() {
 		log("error", "[WDS] Disconnected!");
 		sendMsg("Close");
diff --git a/lib/Server.js b/lib/Server.js
@@ -35,6 +35,8 @@ function Server(compiler, options) {
 	this.headers = options.headers;
 	this.clientLogLevel = options.clientLogLevel;
 	this.clientOverlay = options.overlay;
+	this.disableHostCheck = !!options.disableHostCheck;
+	this.publicHost = options.public;
 	this.sockets = [];
 	this.contentBaseWatchers = [];
 
@@ -52,6 +54,12 @@ function Server(compiler, options) {
 	// Init express server
 	const app = this.app = new express();
 
+	app.all("*", (req, res, next) => {
+		if(this.checkHost(req.headers))
+			return next();
+		res.send("Invalid Host header");
+	});
+
 	// middleware for serving webpack bundle
 	this.middleware = webpackDevMiddleware(compiler, options);
 
@@ -389,8 +397,37 @@ Server.prototype.setContentHeaders = function(req, res, next) {
 	next();
 }
 
+Server.prototype.checkHost = function(headers) {
+	// allow user to opt-out this security check, at own risk
+	if(this.disableHostCheck) return true;
+
+	// get the Host header and extract hostname
+	// we don't care about port not matching
+	const hostHeader = headers.host;
+	if(!hostHeader) return false;
+	const idx = hostHeader.indexOf(":");
+	const hostname = idx >= 0 ? hostHeader.substr(0, idx) : hostHeader;
+
+	// always allow localhost host, for convience
+	if(hostname === "127.0.0.1" || hostname === "localhost") return true;
+
+	// allow hostname of listening adress
+	if(hostname === this.listenHostname) return true;
+
+	// also allow public hostname if provided
+	if(typeof this.publicHost === "string") {
+		const idxPublic = this.publicHost.indexOf(":");
+		const publicHostname = idxPublic >= 0 ? this.publicHost.substr(0, idx) : this.publicHost;
+		if(hostname === publicHostname) return true;
+	}
+
+	// disallow
+	return false;
+}
+
 // delegate listen call and init sockjs
-Server.prototype.listen = function() {
+Server.prototype.listen = function(port, hostname) {
+	this.listenHostname = hostname;
 	const returnValue = this.listeningApp.listen.apply(this.listeningApp, arguments);
 	const sockServer = sockjs.createServer({
 		// Use provided up-to-date sockjs-client
@@ -404,6 +441,11 @@ Server.prototype.listen = function() {
 	});
 	sockServer.on("connection", (conn) => {
 		if(!conn) return;
+		if(!this.checkHost(conn.headers)) {
+			this.sockWrite([conn], "error", "Invalid Host header");
+			conn.close();
+			return;
+		}
 		this.sockets.push(conn);
 
 		conn.on("close", () => {
diff --git a/package.json b/package.json
@@ -22,7 +22,7 @@
     "spdy": "^3.4.1",
     "strip-ansi": "^3.0.0",
     "supports-color": "^3.1.1",
-    "webpack-dev-middleware": "^1.9.0",
+    "webpack-dev-middleware": "^1.10.2",
     "yargs": "^6.0.0"
   },
   "devDependencies": {
