Skip to content

Commit

Permalink
src: resolve TODO related to inspector CVEs
Browse files Browse the repository at this point in the history 
This was not done before the security release because the latest CVE was
not known at the time.

PR-URL: #45341
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
  • Loading branch information
@tniessen @danielleadams
tniessen authored and danielleadams committed Jan 3, 2023
1 parent 4730850 commit 89b3336
Showing 1 changed file with 3 additions and 4 deletions.
7 changes: 3 additions & 4 deletions src/inspector_socket.cc
View file
Expand Up @@ -162,11 +162,10 @@ static std::string TrimPort(const std::string& host) {
}

static bool IsIPAddress(const std::string& host) {
// TODO(tniessen): add CVEs to the following bullet points
// To avoid DNS rebinding attacks, we are aware of the following requirements:
// * the host name must be an IP address,
// * the IP address must be routable, and
// * the IP address must be formatted unambiguously.
// * the host name must be an IP address (CVE-2018-7160, CVE-2022-32212),
// * the IP address must be routable (hackerone.com/reports/1632921), and
// * the IP address must be formatted unambiguously (CVE-2022-43548).

// The logic below assumes that the string is null-terminated, so ensure that
// we did not somehow end up with null characters within the string.
Expand Down

0 comments on commit 89b3336

Please sign in to comment.