src: drop localhost6 as allowed host for inspector

mcollina · BethGriggs · commit 43ae9c46c35a · 2021-02-18T11:41:17.000Z
CVE-ID: CVE-2021-22884 Refs: https://hackerone.com/bugs?report_id=1069487 PR-URL: nodejs-private/node-private#244 Reviewed-By: Beth Griggs <bgriggs@redhat.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Mary Marchini <oss@mmarchini.me> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
@@ -580,8 +580,7 @@ class HttpHandler : public ProtocolHandler {
   bool IsAllowedHost(const std::string& host_with_port) const {
     std::string host = TrimPort(host_with_port);
     return host.empty() || IsIPAddress(host)
-           || node::StringEqualNoCase(host.data(), "localhost")
-           || node::StringEqualNoCase(host.data(), "localhost6");
+           || node::StringEqualNoCase(host.data(), "localhost");
   }
 
   bool parsing_value_;

Original file line number	Diff line number	Diff line change
`@@ -580,8 +580,7 @@ class HttpHandler : public ProtocolHandler {`
`580`	`580`	`bool IsAllowedHost(const std::string& host_with_port) const {`
`581`	`581`	`std::string host = TrimPort(host_with_port);`
`582`	`582`	`return host.empty() \|\| IsIPAddress(host)`
`583`		`- \|\| node::StringEqualNoCase(host.data(), "localhost")`
`584`		`- \|\| node::StringEqualNoCase(host.data(), "localhost6");`
	`583`	`+ \|\| node::StringEqualNoCase(host.data(), "localhost");`
`585`	`584`	`}`
`586`	`585`
`587`	`586`	`bool parsing_value_;`