Remove ip module to fix security vulnerability (#2186)

* Remove ip module to fix security vulnerability * Remove ip module
microsoft · Aug 15, 2024 · 2736614 · 2736614
1 parent ab8d0dd
commit 2736614
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 15 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1339,7 +1339,7 @@
           "scope": "resource",
           "default": true
         },
-        "telemetry.optIn":  {
+        "telemetry.optIn": {
           "description": "Whether to send usage data to Microsoft",
           "type": "boolean",
           "scope": "resource",
@@ -1399,11 +1399,12 @@
     "extract-opts": "2.2.0",
     "flatten-source-map": "0.0.2",
     "glob": "7.1.6",
-    "ip": "1.1.9",
+    "ip-address": "^9.0.5",
     "js-base64": "3.6.0",
     "json5": "^1.0.2",
     "jsonc-parser": "3.0.0",
     "mkdirp": "1.0.3",
+    "net": "^1.0.2",
     "openssl-wrapper": "0.3.4",
     "pako": "2.0.3",
     "qr-image": "3.2.0",

diff --git a/src/cdp-proxy/debuggerEndpointHelper.ts b/src/cdp-proxy/debuggerEndpointHelper.ts
@@ -5,11 +5,11 @@ import * as URL from "url";
 import * as http from "http";
 import * as https from "https";
 import { promises as dns } from "dns";
-import * as ipModule from "ip";
 import { CancellationToken } from "vscode";
 import { InternalErrorCode } from "../common/error/internalErrorCode";
 import { ErrorHelper } from "../common/error/errorHelper";
 import { PromiseUtil } from "../common/node/promise";
+import { ipToBuffer } from "../common/utils";
 
 interface DebuggableEndpointData {
     webSocketDebuggerUrl: string;
@@ -21,8 +21,8 @@ export class DebuggerEndpointHelper {
     private localv6: Buffer;
 
     constructor() {
-        this.localv4 = ipModule.toBuffer("127.0.0.1");
-        this.localv6 = ipModule.toBuffer("::1");
+        this.localv4 = ipToBuffer("127.0.0.1");
+        this.localv6 = ipToBuffer("::1");
     }
 
     /**
@@ -199,7 +199,7 @@ export class DebuggerEndpointHelper {
 
         let buf: Buffer;
         try {
-            buf = ipModule.toBuffer(ipOrLocalhost);
+            buf = ipToBuffer(ipOrLocalhost);
         } catch {
             return false;
         }

diff --git a/src/common/utils.ts b/src/common/utils.ts
@@ -1,8 +1,10 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT license. See LICENSE file in the project root for details.
 import * as path from "path";
+import * as net from "net";
 import stripJsonComments = require("strip-json-comments");
 import { logger } from "@vscode/debugadapter";
+import { Address4, Address6 } from "ip-address";
 import { ChildProcess } from "./node/childProcess";
 import { HostPlatform } from "./hostPlatform";
 import customRequire from "./customRequire";
@@ -109,3 +111,16 @@ export function getTSVersion(projectPath: string): Promise<string> {
     const childProcess = new ChildProcess();
     return childProcess.execToString("npx tsc -v", { cwd: projectPath });
 }
+
+export function ipToBuffer(ip: string): Buffer {
+    if (net.isIPv4(ip)) {
+        // Handle IPv4 addresses
+        const address = new Address4(ip);
+        return Buffer.from(address.toArray());
+    } else if (net.isIPv6(ip)) {
+        // Handle IPv6 addresses
+        const address = new Address6(ip);
+        return Buffer.from(address.toByteArray());
+    }
+    throw new Error("Invalid IP address format.");
+}