-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lib: use Node.js net lib and reject malformed addresses #144
base: main
Are you sure you want to change the base?
Conversation
Is this getting merged in? |
The maintainer is very inactive. He has no responsibility to continue maintaining this library, but I'd suggest switching to a different actively maintained library. |
@indutny Can you please review/merge this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gh pr checkout 144
}; | ||
|
||
ip.isV6Format = function (ip) { | ||
return ipv6Regex.test(ip); | ||
ip.normalizeStrict = function (addr) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(this makes the PR semver-minor)
default: | ||
throw new Error(`Invalid ip address: ${addr}`); | ||
} | ||
const { address } = new net.SocketAddress({ address: addr, family }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this, however, would make it semver-major, both for the destructuring syntax (ip
has no engines field, so it has to support every node version), and because net.SocketAddress wasn't added until node v14.18.0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mentioned this in the PR body.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, so you did :-)
if there's a nonbreaking way to solve the underlying issue, it seems better to me to PR that in first (as you mentioned in the OP), since that way the vuln will be fixed for the greatest number of users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
gh pr checkout 144
Is this PR getting merged? |
See #143. Given the current API of this library, I believe that it's not suitable to support malformed addresses like
0x7f.1
. It's hard to parse them correctly in all cases. It's better to throw errors for them.This PR uses the Node.js
net
library so it should be reliable.I suggest releasing v3 after merging this, because:
net.SocketAddress
is added in Node v15.14.0 and v14.18.0. I think it's reasonable to drop support for older Node versions because Node 12 has reached end-of-life since 2022-04-30. If the user cares about security, they should use a new Node version.We could try to (partially) fix the security concerns in a compatible way in v2 (and v1) in another pull request.