diff options
author | Сковорода Никита Андреевич <chalkerx@gmail.com> | 2018-10-13 19:40:44 +0300 |
---|---|---|
committer | Rich Trott <rtrott@gmail.com> | 2018-11-05 22:38:01 -0800 |
commit | 90be2860345094681f8a1f2bb11cf8fa475c5542 (patch) | |
tree | 23bcfb62d13cf0c3afa464d5683eab8cacdf9676 | |
parent | 54e29221c35839cdd58cac3c05c73e9e9d8f4170 (diff) | |
download | android-node-v8-90be2860345094681f8a1f2bb11cf8fa475c5542.tar.gz android-node-v8-90be2860345094681f8a1f2bb11cf8fa475c5542.tar.bz2 android-node-v8-90be2860345094681f8a1f2bb11cf8fa475c5542.zip |
doc: inspector security warning for changing host
Refs: https://github.com/nodejs/node/issues/23444
Refs: https://github.com/nodejs/node/issues/21774
PR-URL: https://github.com/nodejs/node/pull/23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
-rw-r--r-- | doc/api/cli.md | 21 | ||||
-rw-r--r-- | doc/api/inspector.md | 3 |
2 files changed, 24 insertions, 0 deletions
diff --git a/doc/api/cli.md b/doc/api/cli.md index 4b8ce93736..29f3360dda 100644 --- a/doc/api/cli.md +++ b/doc/api/cli.md @@ -144,6 +144,9 @@ Useful when activating the inspector by sending the `SIGUSR1` signal. Default host is `127.0.0.1`. +See the [security warning](#inspector_security) below regarding the `host` +parameter usage. + ### `--inspect[=[host:]port]` <!-- YAML added: v6.3.0 @@ -155,6 +158,22 @@ V8 inspector integration allows tools such as Chrome DevTools and IDEs to debug and profile Node.js instances. The tools attach to Node.js instances via a tcp port and communicate using the [Chrome DevTools Protocol][]. +<a id="inspector_security"></a> +#### Warning: binding inspector to a public IP:port combination is insecure + +Binding the inspector to a public IP (including `0.0.0.0`) with an open port is +insecure, as it allows external hosts to connect to the inspector and perform +a [remote code execution][] attack. + +If you specify a host, make sure that at least one of the following is true: +either the host is not public, or the port is properly firewalled to disallow +unwanted connections. + +**More specifically, `--inspect=0.0.0.0` is insecure if the port (`9229` by +default) is not firewall-protected.** + +See the [debugging security implications][] section for more information. + ### `--loader=file` <!-- YAML added: v9.0.0 @@ -741,6 +760,8 @@ greater than `4` (its current default value). For more information, see the [ScriptCoverage]: https://chromedevtools.github.io/devtools-protocol/tot/Profiler#type-ScriptCoverage [V8 JavaScript code coverage]: https://v8project.blogspot.com/2017/12/javascript-code-coverage.html [debugger]: debugger.html +[debugging security implications]: https://nodejs.org/en/docs/guides/debugging-getting-started/#security-implications [emit_warning]: process.html#process_process_emitwarning_warning_type_code_ctor [experimental ECMAScript Module]: esm.html#esm_loader_hooks [libuv threadpool documentation]: http://docs.libuv.org/en/latest/threadpool.html +[remote code execution]: https://www.owasp.org/index.php/Code_Injection diff --git a/doc/api/inspector.md b/doc/api/inspector.md index 02aa1ac141..7406e36e73 100644 --- a/doc/api/inspector.md +++ b/doc/api/inspector.md @@ -43,6 +43,9 @@ started. If wait is `true`, will block until a client has connected to the inspect port and flow control has been passed to the debugger client. +See the [security warning](cli.html#inspector_security) regarding the `host` +parameter usage. + ## inspector.url() * Returns: {string|undefined} |