From eea73a38ed8552c6a99cdd0dea5c9619dc955a21 Mon Sep 17 00:00:00 2001 From: yan Date: Fri, 12 Jan 2018 07:39:56 +0000 Subject: [PATCH 1/2] Add hostname option to mitigate DNS rebinding This adds the `hostname` opt to allow the server to validate the `Host` header of incoming requests to prevent DNS rebinding attacks. Needed for https://github.com/brave/browser-laptop/issues/12616. --- docs/api.md | 1 + lib/server.js | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/docs/api.md b/docs/api.md index d1c0a873..013babd3 100644 --- a/docs/api.md +++ b/docs/api.md @@ -327,6 +327,7 @@ Returns an `http.Server` instance (got from calling `http.createServer`). If ```js { origin: String // Allow requests from specific origin. `false` for same-origin. [default: '*'] + hostname: String // If specified, only allow requests whose `Host` header matches this hostname. Note that you should not specify the port since this is automatically determined by the server. Ex: `localhost` [default: `undefined`] } ``` diff --git a/lib/server.js b/lib/server.js index be45ddc1..d0f57169 100644 --- a/lib/server.js +++ b/lib/server.js @@ -51,6 +51,15 @@ function Server (torrent, opts) { // deny them if (req.headers.origin == null) return false + // If a 'hostname' string is specified, deny requests with a 'Host' + // header that does not match the origin of the torrent server to prevent + // DNS rebinding attacks. + if (opts.hostname) { + if (req.headers.host !== `${opts.hostname}:${server.address().port}`) { + return false + } + } + // The user allowed all origins if (opts.origin === '*') return true From 7c107e6d47415d72ca7fd075fc8f78aaae548908 Mon Sep 17 00:00:00 2001 From: Feross Aboukhadijeh Date: Fri, 2 Mar 2018 14:29:02 -0800 Subject: [PATCH 2/2] simplify double if statement --- lib/server.js | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/server.js b/lib/server.js index d0f57169..5b241816 100644 --- a/lib/server.js +++ b/lib/server.js @@ -54,10 +54,8 @@ function Server (torrent, opts) { // If a 'hostname' string is specified, deny requests with a 'Host' // header that does not match the origin of the torrent server to prevent // DNS rebinding attacks. - if (opts.hostname) { - if (req.headers.host !== `${opts.hostname}:${server.address().port}`) { - return false - } + if (opts.hostname && req.headers.host !== `${opts.hostname}:${server.address().port}`) { + return false } // The user allowed all origins