-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net: Validate port in createServer().listen() #5732
Conversation
|
||
// The first argument is a configuration object | ||
assert.throws(function() { | ||
net.Server().listen({ port: -1 >>> 0 }, assert.fail); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we have common.fail()
for cases like this, instead of assert.fail()
.
@@ -1270,6 +1270,12 @@ function emitListeningNT(self) { | |||
} | |||
|
|||
|
|||
function throwIfInvalidPort(port) { | |||
if (typeof port !== 'undefined' && !isLegalPort(port)) | |||
throw new RangeError('"port" option should be >= 0 and < 65536: ' + port); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe use a template string here?
Thanks for the review @cjihrig! Fixed the points you raised. By the way, refactoring existing tests to use common ES6 idioms ( |
LGTM with a suggestion |
LGTM if the CI is happy.
That's not always ideal because things get backported to older versions of Node. Once 0.10 and 0.12 go away, that might be a good idea. |
Hm... the internal/net isLegalPort method is a bit wonky. |
Yea, |
Agree. I moved it into internal/net.js. I didn't make any changes to how it was implemented though to make it backwards-compatible? Maybe we should update it for 6.0? |
I'd be OK with that... as long as it doesn't accept |
I'll make a PR |
@@ -1270,6 +1270,12 @@ function emitListeningNT(self) { | |||
} | |||
|
|||
|
|||
function throwIfInvalidPort(port) { | |||
if (typeof port !== 'undefined' && !isLegalPort(port)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If #5733 lands, then the typeof port !== 'undefined'
check would be unnecessary.
Thanks for taking care of this. LGTM |
|
||
|
||
function assertPort(port) { | ||
if (typeof port !== 'undefined' && !isLegalPort(port)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can I remove typeof port !== 'undefined' &&
since #5733 already landed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so. The changes in #5733 make isLegalPort()
validate the value of port
. undefined
isn't a valid port, and is specific to this use case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although you could change it to port === undefined
:-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-1... the current code allows undefined
to pass through.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the following a test?
typeof net.createServer(()=>{}).listen().address().port === 'number';
If undefined
is meant to be allowed to pass through then should probably document that at least in the form of a test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at the code where assertPort
is being used, we see:
assertPort(h.port);
if (h.host)
listenAfterLookup(h.port | 0, h.host, backlog, h.exclusive);
else
listen(self, null, h.port | 0, 4, backlog, undefined, h.exclusive);
Notice that listen
is called with h.port | 0
, so that when h.port
is undefined, assertPort
falls through and it defaults to 0
... specifically to account for when h.port is not explicitly specified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@trevnorris: we do have a test that uses undefined
(https://github.com/dirceu/node/blob/fix-5727/test/parallel/test-net-listen-port-option.js#L7). Should I change it to explicitly check if the port is a number?
@jasnell: got it. Speaking of which, wouldn't be clearer to use something like this?
let port = h.port | 0;
assertPort(port);
if (h.host)
listenAfterLookup(port, h.host, backlog, h.exclusive);
else
listen(self, null, port, 4, backlog, undefined, h.exclusive);
Otherwise, is there anything else that could be improved on the PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jasnell I just rebased with master and everything seems to be OK.
Make sure we validate the port number in all kinds of `listen()` calls. Fixes: nodejs#5727
Marking this semver major as it builds on the prior semver-major #5733 |
LGTM |
Landed in 02ac302. Thank you! |
test/parallel/test-regress-GH-5727 assumed that one of the servers would be listening on IPv6. This breaks when the machine running the test doesn't have IPv6. This commit builds the connection key that is compared dynamically. Refs: #5732 PR-URL: #6319 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Make sure we validate the port number in all kinds of `listen()` calls. Fixes: nodejs#5727 PR-URL: nodejs#5732 Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
test/parallel/test-regress-GH-5727 assumed that one of the servers would be listening on IPv6. This breaks when the machine running the test doesn't have IPv6. This commit builds the connection key that is compared dynamically. Refs: nodejs#5732 PR-URL: nodejs#6319 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
test/parallel/test-regress-GH-5727 assumed that one of the servers would be listening on IPv6. This breaks when the machine running the test doesn't have IPv6. This commit builds the connection key that is compared dynamically. Refs: #5732 PR-URL: #6319 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Pull Request check-list
make -j8 test
(UNIX) orvcbuild test nosign
(Windows) pass withthis change (including linting)?
test (or a benchmark) included?
existing APIs, or introduces new ones)?
Affected core subsystem(s)
net
Description of change
Make sure we validate the port number in all kinds of
listen()
calls.Fixes: #5727