Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: Validate port in createServer().listen() #5732

Closed
wants to merge 1 commit into from

Conversation

dirceu
Copy link
Contributor

@dirceu dirceu commented Mar 15, 2016

Pull Request check-list

  • Does make -j8 test (UNIX) or vcbuild test nosign (Windows) pass with
    this change (including linting)?
  • Is the commit message formatted according to [CONTRIBUTING.md][0]?
  • If this change fixes a bug (or a performance problem), is a regression
    test (or a benchmark) included?
  • Is a documentation update included (if this change modifies
    existing APIs, or introduces new ones)?

Affected core subsystem(s)

net

Description of change

Make sure we validate the port number in all kinds of listen() calls.

Fixes: #5727

@mscdex mscdex added the net Issues and PRs related to the net subsystem. label Mar 16, 2016

// The first argument is a configuration object
assert.throws(function() {
net.Server().listen({ port: -1 >>> 0 }, assert.fail);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have common.fail() for cases like this, instead of assert.fail().

@@ -1270,6 +1270,12 @@ function emitListeningNT(self) {
}


function throwIfInvalidPort(port) {
if (typeof port !== 'undefined' && !isLegalPort(port))
throw new RangeError('"port" option should be >= 0 and < 65536: ' + port);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe use a template string here?

@dirceu
Copy link
Contributor Author

dirceu commented Mar 16, 2016

Thanks for the review @cjihrig! Fixed the points you raised.

By the way, refactoring existing tests to use common ES6 idioms (const, let, maybe arrow functions) could make a good issue for good-first-contribution.

@evanlucas
Copy link
Contributor

LGTM with a suggestion

@evanlucas
Copy link
Contributor

@cjihrig
Copy link
Contributor

cjihrig commented Mar 16, 2016

LGTM if the CI is happy.

By the way, refactoring existing tests to use common ES6 idioms (const, let, maybe arrow functions) could make a good issue for good-first-contribution.

That's not always ideal because things get backported to older versions of Node. Once 0.10 and 0.12 go away, that might be a good idea.

@jasnell
Copy link
Member

jasnell commented Mar 16, 2016

Hm... the internal/net isLegalPort method is a bit wonky. isLegalPort(true) and isLegalPort(false) each return true, which is just odd...

@cjihrig
Copy link
Contributor

cjihrig commented Mar 16, 2016

Yea, isLegalPort() really only does range validation for strings and numbers.

@evanlucas
Copy link
Contributor

Agree. I moved it into internal/net.js. I didn't make any changes to how it was implemented though to make it backwards-compatible? Maybe we should update it for 6.0?

@cjihrig
Copy link
Contributor

cjihrig commented Mar 16, 2016

I'd be OK with that... as long as it doesn't accept undefined as a valid port.

@jasnell
Copy link
Member

jasnell commented Mar 16, 2016

I'll make a PR

@@ -1270,6 +1270,12 @@ function emitListeningNT(self) {
}


function throwIfInvalidPort(port) {
if (typeof port !== 'undefined' && !isLegalPort(port))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If #5733 lands, then the typeof port !== 'undefined' check would be unnecessary.

@trevnorris
Copy link
Contributor

Thanks for taking care of this. LGTM



function assertPort(port) {
if (typeof port !== 'undefined' && !isLegalPort(port))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can I remove typeof port !== 'undefined' && since #5733 already landed?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. The changes in #5733 make isLegalPort() validate the value of port. undefined isn't a valid port, and is specific to this use case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although you could change it to port === undefined :-)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-1... the current code allows undefined to pass through.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the following a test?

typeof net.createServer(()=>{}).listen().address().port === 'number';

If undefined is meant to be allowed to pass through then should probably document that at least in the form of a test.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the code where assertPort is being used, we see:

        assertPort(h.port);
        if (h.host)
          listenAfterLookup(h.port | 0, h.host, backlog, h.exclusive);
        else
          listen(self, null, h.port | 0, 4, backlog, undefined, h.exclusive);

Notice that listen is called with h.port | 0, so that when h.port is undefined, assertPort falls through and it defaults to 0... specifically to account for when h.port is not explicitly specified.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@trevnorris: we do have a test that uses undefined (https://github.com/dirceu/node/blob/fix-5727/test/parallel/test-net-listen-port-option.js#L7). Should I change it to explicitly check if the port is a number?

@jasnell: got it. Speaking of which, wouldn't be clearer to use something like this?

    let port = h.port | 0;
    assertPort(port);
    if (h.host)
      listenAfterLookup(port, h.host, backlog, h.exclusive);
    else
      listen(self, null, port, 4, backlog, undefined, h.exclusive);

Otherwise, is there anything else that could be improved on the PR?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, just getting back to this one. Since #5733 landed, isLegalPort(undefined) now returns false. @dirceu, not certain if that changes any of the details that you're doing here. Can you take another look?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jasnell I just rebased with master and everything seems to be OK.

Make sure we validate the port number in all kinds of `listen()` calls.

Fixes: nodejs#5727
@jasnell jasnell added the semver-major PRs that contain breaking changes and should be released in the next major version. label Apr 20, 2016
@jasnell
Copy link
Member

jasnell commented Apr 20, 2016

Marking this semver major as it builds on the prior semver-major #5733

@jasnell
Copy link
Member

jasnell commented Apr 20, 2016

@jasnell
Copy link
Member

jasnell commented Apr 20, 2016

LGTM

jasnell pushed a commit that referenced this pull request Apr 20, 2016
Make sure we validate the port number in all kinds of `listen()` calls.

Fixes: #5727
PR-URL: #5732
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@jasnell
Copy link
Member

jasnell commented Apr 20, 2016

Landed in 02ac302. Thank you!

@jasnell jasnell closed this Apr 20, 2016
cjihrig added a commit that referenced this pull request Apr 21, 2016
test/parallel/test-regress-GH-5727 assumed that one of the
servers would be listening on IPv6. This breaks when the machine
running the test doesn't have IPv6. This commit builds the
connection key that is compared dynamically.

Refs: #5732
PR-URL: #6319
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
joelostrowski pushed a commit to joelostrowski/node that referenced this pull request Apr 25, 2016
Make sure we validate the port number in all kinds of `listen()` calls.

Fixes: nodejs#5727
PR-URL: nodejs#5732
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
joelostrowski pushed a commit to joelostrowski/node that referenced this pull request Apr 25, 2016
test/parallel/test-regress-GH-5727 assumed that one of the
servers would be listening on IPv6. This breaks when the machine
running the test doesn't have IPv6. This commit builds the
connection key that is compared dynamically.

Refs: nodejs#5732
PR-URL: nodejs#6319
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
jasnell pushed a commit that referenced this pull request Apr 26, 2016
Make sure we validate the port number in all kinds of `listen()` calls.

Fixes: #5727
PR-URL: #5732
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
jasnell pushed a commit that referenced this pull request Apr 26, 2016
test/parallel/test-regress-GH-5727 assumed that one of the
servers would be listening on IPv6. This breaks when the machine
running the test doesn't have IPv6. This commit builds the
connection key that is compared dynamically.

Refs: #5732
PR-URL: #6319
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
net Issues and PRs related to the net subsystem. semver-major PRs that contain breaking changes and should be released in the next major version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

net: _connectionKey given wrong value for large port
6 participants