net: Validate port in createServer().listen() #5732
Conversation
|
|
||
| // The first argument is a configuration object | ||
| assert.throws(function() { | ||
| net.Server().listen({ port: -1 >>> 0 }, assert.fail); |
There was a problem hiding this comment.
I think we have common.fail() for cases like this, instead of assert.fail().
| @@ -1270,6 +1270,12 @@ function emitListeningNT(self) { | |||
| } | |||
|
|
|||
|
|
|||
| function throwIfInvalidPort(port) { | |||
| if (typeof port !== 'undefined' && !isLegalPort(port)) | |||
| throw new RangeError('"port" option should be >= 0 and < 65536: ' + port); | |||
There was a problem hiding this comment.
Maybe use a template string here?
|
Thanks for the review @cjihrig! Fixed the points you raised. By the way, refactoring existing tests to use common ES6 idioms ( |
|
LGTM with a suggestion |
|
LGTM if the CI is happy.
That's not always ideal because things get backported to older versions of Node. Once 0.10 and 0.12 go away, that might be a good idea. |
|
Hm... the internal/net isLegalPort method is a bit wonky. |
|
Yea, |
|
Agree. I moved it into internal/net.js. I didn't make any changes to how it was implemented though to make it backwards-compatible? Maybe we should update it for 6.0? |
|
I'd be OK with that... as long as it doesn't accept |
|
I'll make a PR |
| @@ -1270,6 +1270,12 @@ function emitListeningNT(self) { | |||
| } | |||
|
|
|||
|
|
|||
| function throwIfInvalidPort(port) { | |||
| if (typeof port !== 'undefined' && !isLegalPort(port)) | |||
There was a problem hiding this comment.
If #5733 lands, then the typeof port !== 'undefined' check would be unnecessary.
|
Thanks for taking care of this. LGTM |
|
|
||
|
|
||
| function assertPort(port) { | ||
| if (typeof port !== 'undefined' && !isLegalPort(port)) |
There was a problem hiding this comment.
Can I remove typeof port !== 'undefined' && since #5733 already landed?
There was a problem hiding this comment.
I don't think so. The changes in #5733 make isLegalPort() validate the value of port. undefined isn't a valid port, and is specific to this use case.
There was a problem hiding this comment.
Although you could change it to port === undefined :-)
There was a problem hiding this comment.
-1... the current code allows undefined to pass through.
There was a problem hiding this comment.
Is the following a test?
typeof net.createServer(()=>{}).listen().address().port === 'number';If undefined is meant to be allowed to pass through then should probably document that at least in the form of a test.
There was a problem hiding this comment.
Looking at the code where assertPort is being used, we see:
assertPort(h.port);
if (h.host)
listenAfterLookup(h.port | 0, h.host, backlog, h.exclusive);
else
listen(self, null, h.port | 0, 4, backlog, undefined, h.exclusive);
Notice that listen is called with h.port | 0, so that when h.port is undefined, assertPort falls through and it defaults to 0... specifically to account for when h.port is not explicitly specified.
There was a problem hiding this comment.
@trevnorris: we do have a test that uses undefined (https://github.com/dirceu/node/blob/fix-5727/test/parallel/test-net-listen-port-option.js#L7). Should I change it to explicitly check if the port is a number?
@jasnell: got it. Speaking of which, wouldn't be clearer to use something like this?
let port = h.port | 0;
assertPort(port);
if (h.host)
listenAfterLookup(port, h.host, backlog, h.exclusive);
else
listen(self, null, port, 4, backlog, undefined, h.exclusive);Otherwise, is there anything else that could be improved on the PR?
There was a problem hiding this comment.
@jasnell I just rebased with master and everything seems to be OK.
Make sure we validate the port number in all kinds of `listen()` calls. Fixes: nodejs#5727
jasnell
added
the
semver-major
|
Marking this semver major as it builds on the prior semver-major #5733 |
|
LGTM |
|
Landed in 02ac302. Thank you! |
test/parallel/test-regress-GH-5727 assumed that one of the servers would be listening on IPv6. This breaks when the machine running the test doesn't have IPv6. This commit builds the connection key that is compared dynamically. Refs: #5732 PR-URL: #6319 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Make sure we validate the port number in all kinds of `listen()` calls. Fixes: nodejs#5727 PR-URL: nodejs#5732 Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Trevor Norris <trev.norris@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
test/parallel/test-regress-GH-5727 assumed that one of the servers would be listening on IPv6. This breaks when the machine running the test doesn't have IPv6. This commit builds the connection key that is compared dynamically. Refs: nodejs#5732 PR-URL: nodejs#6319 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
test/parallel/test-regress-GH-5727 assumed that one of the servers would be listening on IPv6. This breaks when the machine running the test doesn't have IPv6. This commit builds the connection key that is compared dynamically. Refs: #5732 PR-URL: #6319 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Pull Request check-list
make -j8 test(UNIX) orvcbuild test nosign(Windows) pass withthis change (including linting)?
test (or a benchmark) included?
existing APIs, or introduces new ones)?
Affected core subsystem(s)
net
Description of change
Make sure we validate the port number in all kinds of
listen()calls.Fixes: #5727