lib: use Node.js net lib and reject malformed addresses #144
Conversation
|
Is this getting merged in? |
|
The maintainer is very inactive. He has no responsibility to continue maintaining this library, but I'd suggest switching to a different actively maintained library. |
|
@indutny Can you please review/merge this PR? |
| }; | ||
|
|
||
| ip.isV6Format = function (ip) { | ||
| return ipv6Regex.test(ip); | ||
| ip.normalizeStrict = function (addr) { |
| default: | ||
| throw new Error(`Invalid ip address: ${addr}`); | ||
| } | ||
| const { address } = new net.SocketAddress({ address: addr, family }); |
There was a problem hiding this comment.
this, however, would make it semver-major, both for the destructuring syntax (ip has no engines field, so it has to support every node version), and because net.SocketAddress wasn't added until node v14.18.0.
There was a problem hiding this comment.
ah, so you did :-)
if there's a nonbreaking way to solve the underlying issue, it seems better to me to PR that in first (as you mentioned in the OP), since that way the vuln will be fixed for the greatest number of users.
|
Is this PR getting merged? |
See #143. Given the current API of this library, I believe that it's not suitable to support malformed addresses like
0x7f.1. It's hard to parse them correctly in all cases. It's better to throw errors for them.This PR uses the Node.js
netlibrary so it should be reliable.I suggest releasing v3 after merging this, because:
net.SocketAddressis added in Node v15.14.0 and v14.18.0. I think it's reasonable to drop support for older Node versions because Node 12 has reached end-of-life since 2022-04-30. If the user cares about security, they should use a new Node version.We could try to (partially) fix the security concerns in a compatible way in v2 (and v1) in another pull request.