doc: inspector security warning for changing host to a public IP #23640
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ChALkeR
force-pushed
the
inspect-security-doc
branch
from
c48bfaa
to
e552d34
Compare
ChALkeR
added
security
ofrobots
reviewed
Oct 13, 2018
doc/api/cli.md
Outdated
| either the IP is not public, or the port is properly firewalled to disallow | ||
| unwanted connections. | ||
|
|
||
| **More specifially, `--inspect=0.0.0.0` is insecure if the port (`9229` by |
There was a problem hiding this comment.
It might be worthwhile linking to this page that talks about things in more detail: https://nodejs.org/en/docs/guides/debugging-getting-started/#security-implications
There was a problem hiding this comment.
Nit: Specifically typo
sam-github
reviewed
Oct 13, 2018
doc/api/cli.md
Outdated
| #### Warning: binding inspector to a public IP:port combination is insecure | ||
|
|
||
| Binding the inspector to a public IP (including `0.0.0.0`) with an open port is | ||
| insecure, as it allows anyone of the outside could connect to the inspector and |
There was a problem hiding this comment.
"anyone of the outside" isn't grammatically correct - perhaps "as it allows other hosts to connect to the inspector"
There was a problem hiding this comment.
Done, with s/other/third-party/.
sam-github
reviewed
Oct 13, 2018
doc/api/cli.md
Outdated
| perform a [remote code execution][] attack. | ||
|
|
||
| If you specify a host, make sure that at least one of the following is true: | ||
| either the IP is not public, or the port is properly firewalled to disallow |
There was a problem hiding this comment.
s/IP/host/ - use the same word in both places
ChALkeR
force-pushed
the
inspect-security-doc
branch
from
e552d34
to
9897f34
Compare
addaleax
approved these changes
Oct 13, 2018
doc/api/cli.md
Outdated
| @@ -144,6 +144,8 @@ Useful when activating the inspector by sending the `SIGUSR1` signal. | |||
|
|
|||
| Default host is `127.0.0.1`. | |||
|
|
|||
| See the [security warning](#inspector_security) below. | |||
There was a problem hiding this comment.
security warning about providing a different `host` , or something similar to the added text in the other file? That would give people an indication about the circumstances in which there are security concerns upfront
There was a problem hiding this comment.
Changed to
See the security warning below regarding the
hostparameter usage.
and
See the security warning regarding the
hostparameter usage.
in two files.
Thanks!
gireeshpunathil
approved these changes
Oct 13, 2018
cjihrig
approved these changes
Oct 13, 2018
ChALkeR
force-pushed
the
inspect-security-doc
branch
from
9897f34
to
825dbdb
Compare
sam-github
approved these changes
Oct 13, 2018
thefourtheye
approved these changes
Oct 15, 2018
doc/api/cli.md
Outdated
| #### Warning: binding inspector to a public IP:port combination is insecure | ||
|
|
||
| Binding the inspector to a public IP (including `0.0.0.0`) with an open port is | ||
| insecure, as it allows third-party hosts to connect to the inspector and perform |
There was a problem hiding this comment.
Wouldn't external hosts be better than third-party here? We don't even have a second party here.
doc/api/cli.md
Outdated
| either the IP is not public, or the port is properly firewalled to disallow | ||
| unwanted connections. | ||
|
|
||
| **More specifially, `--inspect=0.0.0.0` is insecure if the port (`9229` by |
There was a problem hiding this comment.
Nit: Specifically typo
eugeneo
approved these changes
Oct 15, 2018
Trott
added
the
author ready
|
Landed in 90be286 |
Trott
pushed a commit
to Trott/io.js
that referenced
this pull request
Nov 6, 2018
Refs: nodejs#23444 Refs: nodejs#21774 PR-URL: nodejs#23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
targos
pushed a commit
that referenced
this pull request
Nov 6, 2018
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
This was referenced Nov 15, 2018
This was referenced Nov 15, 2018
codebytere
pushed a commit
that referenced
this pull request
Nov 29, 2018
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 29, 2018
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Merged
MylesBorins
pushed a commit
that referenced
this pull request
Dec 3, 2018
Refs: #23444 Refs: #21774 PR-URL: #23640 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the documentation part of #23444.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes/cc @nodejs/documentation @nodejs/security-wg