fix: respect the allowedHosts option for cross-origin header check (#5510)

Author: kretajak

lib/Server.js

@@ -250,6 +250,8 @@ const encodeOverlaySettings = (setting) =>
     ? encodeURIComponent(setting.toString())
     : setting;
 
+const DEFAULT_ALLOWED_PROTOCOLS = /^(file|.+-extension):/i;
+
 class Server {
   /**
    * @param {Configuration | Compiler | MultiCompiler} options
@@ -2011,7 +2013,7 @@ class Server {
        */
       (req, res, next) => {
         if (
-          this.checkHeader(
+          this.isValidHost(
             /** @type {{ [key: string]: string | undefined }} */
             (req.headers),
             "host",
@@ -2222,6 +2224,14 @@ class Server {
         const headers =
           /** @type {{ [key: string]: string | undefined }} */
           (req.headers);
+
+        const headerName = headers[":authority"] ? ":authority" : "host";
+
+        if (this.isValidHost(headers, headerName, false)) {
+          next();
+          return;
+        }
+
         if (
           headers["sec-fetch-mode"] === "no-cors" &&
           headers["sec-fetch-site"] === "cross-site"
@@ -2625,8 +2635,8 @@ class Server {
 
         if (
           !headers ||
-          !this.checkHeader(headers, "host", true) ||
-          !this.checkHeader(headers, "origin", false)
+          !this.isValidHost(headers, "host", true) ||
+          !this.isValidHost(headers, "origin", false)
         ) {
           this.sendMessage([client], "error", "Invalid Host/Origin header");
 
@@ -3082,80 +3092,93 @@ class Server {
    * @private
    * @param {{ [key: string]: string | undefined }} headers
    * @param {string} headerToCheck
-   * @param {boolean} allowIP
+   * @param {boolean} validateHost
    * @returns {boolean}
    */
-  checkHeader(headers, headerToCheck, allowIP) {
-    // allow user to opt out of this security check, at their own risk
-    // by explicitly enabling allowedHosts
+  isValidHost(headers, headerToCheck, validateHost = true) {
     if (this.options.allowedHosts === "all") {
       return true;
     }
 
     // get the Host header and extract hostname
     // we don't care about port not matching
-    const hostHeader = headers[headerToCheck];
+    const header = headers[headerToCheck];
 
-    if (!hostHeader) {
+    if (!header) {
       return false;
     }
 
-    if (/^(file|.+-extension):/i.test(hostHeader)) {
+    if (DEFAULT_ALLOWED_PROTOCOLS.test(header)) {
       return true;
     }
 
     // use the node url-parser to retrieve the hostname from the host-header.
     const hostname = url.parse(
-      // if hostHeader doesn't have scheme, add // for parsing.
-      /^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`,
+      // if header doesn't have scheme, add // for parsing.
+      /^(.+:)?\/\//.test(header) ? header : `//${header}`,
       false,
       true
     ).hostname;
 
-    // allow requests with explicit IPv4 or IPv6-address if allowIP is true.
-    // Note that IP should not be automatically allowed for Origin headers,
-    // otherwise an untrusted remote IP host can send requests.
-    //
+    if (hostname === null) {
+      return false;
+    }
+
+    if (this.isHostAllowed(hostname)) {
+      return true;
+    }
+
+    // always allow requests with explicit IPv4 or IPv6-address.
     // A note on IPv6 addresses:
-    // hostHeader will always contain the brackets denoting
+    // header will always contain the brackets denoting
     // an IPv6-address in URLs,
     // these are removed from the hostname in url.parse(),
     // so we have the pure IPv6-address in hostname.
     // For convenience, always allow localhost (hostname === 'localhost')
     // and its subdomains (hostname.endsWith(".localhost")).
     // allow hostname of listening address  (hostname === this.options.host)
-    const isValidHostname =
-      (allowIP &&
-        hostname !== null &&
-        (ipaddr.IPv4.isValid(hostname) || ipaddr.IPv6.isValid(hostname))) ||
-      hostname === "localhost" ||
-      (hostname !== null && hostname.endsWith(".localhost")) ||
-      hostname === this.options.host;
-
-    if (isValidHostname) {
-      return true;
-    }
+    const isValidHostname = validateHost
+      ? ipaddr.IPv4.isValid(hostname) ||
+        ipaddr.IPv6.isValid(hostname) ||
+        hostname === "localhost" ||
+        hostname.endsWith(".localhost") ||
+        hostname === this.options.host
+      : true;
+
+    return isValidHostname;
+  }
 
+  /**
+   * @private
+   * @param {string} value
+   * @returns {boolean}
+   */
+  isHostAllowed(value) {
     const { allowedHosts } = this.options;
 
+    // allow user to opt out of this security check, at their own risk
+    // by explicitly enabling allowedHosts
+    if (allowedHosts === "all") {
+      return true;
+    }
+
     // always allow localhost host, for convenience
-    // allow if hostname is in allowedHosts
+    // allow if value is in allowedHosts
     if (Array.isArray(allowedHosts) && allowedHosts.length > 0) {
-      for (let hostIdx = 0; hostIdx < allowedHosts.length; hostIdx++) {
-        const allowedHost = allowedHosts[hostIdx];
-
-        if (allowedHost === hostname) {
+      for (const allowedHost of allowedHosts) {
+        if (allowedHost === value) {
           return true;
         }
 
         // support "." as a subdomain wildcard
         // e.g. ".example.com" will allow "example.com", "www.example.com", "subdomain.example.com", etc
-        if (allowedHost[0] === ".") {
-          // "example.com"  (hostname === allowedHost.substring(1))
-          // "*.example.com"  (hostname.endsWith(allowedHost))
+        if (allowedHost.startsWith(".")) {
+          // "example.com"  (value === allowedHost.substring(1))
+          // "*.example.com"  (value.endsWith(allowedHost))
           if (
-            hostname === allowedHost.substring(1) ||
-            /** @type {string} */ (hostname).endsWith(allowedHost)
+            value === allowedHost.substring(1) ||
+            /** @type {string} */
+            (value).endsWith(allowedHost)
           ) {
             return true;
           }
@@ -3167,17 +3190,17 @@ class Server {
     if (
       this.options.client &&
       typeof (
-        /** @type {ClientConfiguration} */ (this.options.client).webSocketURL
+        /** @type {ClientConfiguration} */
+        (this.options.client).webSocketURL
       ) !== "undefined"
     ) {
       return (
         /** @type {WebSocketURL} */
         (/** @type {ClientConfiguration} */ (this.options.client).webSocketURL)
-          .hostname === hostname
+          .hostname === value
       );
     }
 
-    // disallow
     return false;
   }
 
@@ -3198,6 +3221,64 @@ class Server {
     }
   }
 
+  /**
+   * @private
+   * @param {{ [key: string]: string | undefined }} headers
+   * @returns {boolean}
+   */
+  isSameOrigin(headers) {
+    if (this.options.allowedHosts === "all") {
+      return true;
+    }
+
+    const originHeader = headers.origin;
+
+    if (!originHeader) {
+      return this.options.allowedHosts === "all";
+    }
+
+    if (DEFAULT_ALLOWED_PROTOCOLS.test(originHeader)) {
+      return true;
+    }
+
+    const origin = url.parse(originHeader, false, true).hostname;
+
+    if (origin === null) {
+      return false;
+    }
+
+    if (this.isHostAllowed(origin)) {
+      return true;
+    }
+
+    const hostHeader = headers.host;
+
+    if (!hostHeader) {
+      return this.options.allowedHosts === "all";
+    }
+
+    if (DEFAULT_ALLOWED_PROTOCOLS.test(hostHeader)) {
+      return true;
+    }
+
+    const host = url.parse(
+      // if hostHeader doesn't have scheme, add // for parsing.
+      /^(.+:)?\/\//.test(hostHeader) ? hostHeader : `//${hostHeader}`,
+      false,
+      true
+    ).hostname;
+
+    if (host === null) {
+      return false;
+    }
+
+    if (this.isHostAllowed(host)) {
+      return true;
+    }
+
+    return origin === host;
+  }
+
   /**
    * @private
    * @param {Request} req

test/e2e/allowed-hosts.test.js

@@ -1276,7 +1276,7 @@ describe("allowed hosts", () => {
         waitUntil: "networkidle0",
       });
 
-      if (!server.checkHeader(headers, "host")) {
+      if (!server.isValidHost(headers, "host")) {
         throw new Error("Validation didn't fail");
       }
 
@@ -1317,7 +1317,7 @@ describe("allowed hosts", () => {
         waitUntil: "networkidle0",
       });
 
-      if (!server.checkHeader(headers, "host")) {
+      if (!server.isValidHost(headers, "host")) {
         throw new Error("Validation didn't fail");
       }
 
@@ -1360,7 +1360,7 @@ describe("allowed hosts", () => {
         waitUntil: "networkidle0",
       });
 
-      if (!server.checkHeader(headers, "host")) {
+      if (!server.isValidHost(headers, "host")) {
         throw new Error("Validation didn't fail");
       }
 
@@ -1404,7 +1404,7 @@ describe("allowed hosts", () => {
         waitUntil: "networkidle0",
       });
 
-      if (!server.checkHeader(headers, "host")) {
+      if (!server.isValidHost(headers, "host")) {
         throw new Error("Validation didn't fail");
       }
 
@@ -1444,7 +1444,7 @@ describe("allowed hosts", () => {
         waitUntil: "networkidle0",
       });
 
-      if (!server.checkHeader(headers, "host")) {
+      if (!server.isValidHost(headers, "host")) {
         throw new Error("Validation didn't fail");
       }
 
@@ -1485,7 +1485,7 @@ describe("allowed hosts", () => {
       tests.forEach((test) => {
         const headers = { host: test };
 
-        if (!server.checkHeader(headers, "host")) {
+        if (!server.isValidHost(headers, "host")) {
           throw new Error("Validation didn't fail");
         }
       });
@@ -1535,7 +1535,7 @@ describe("allowed hosts", () => {
       tests.forEach((test) => {
         const headers = { host: test };
 
-        if (!server.checkHeader(headers, "host")) {
+        if (!server.isValidHost(headers, "host")) {
           throw new Error("Validation didn't fail");
         }
       });

test/e2e/api.test.js

@@ -837,7 +837,7 @@ describe("API", () => {
       tests.forEach((test) => {
         const headers = { host: test };
 
-        if (!server.checkHeader(headers, "host")) {
+        if (!server.isValidHost(headers, "host")) {
           throw new Error("Validation didn't pass");
         }
       });
@@ -886,7 +886,7 @@ describe("API", () => {
         waitUntil: "networkidle0",
       });
 
-      if (!server.checkHeader(headers, "origin")) {
+      if (!server.isValidHost(headers, "origin")) {
         throw new Error("Validation didn't fail");
       }
 

types/lib/Server.d.ts

@@ -3459,14 +3459,26 @@ declare class Server {
    * @param {NextFunction} next
    */
   private setHeaders;
+  /**
+   * @private
+   * @param {string} value
+   * @returns {boolean}
+   */
+  private isHostAllowed;
   /**
    * @private
    * @param {{ [key: string]: string | undefined }} headers
    * @param {string} headerToCheck
-   * @param {boolean} allowIP
+   * @param {boolean} validateHost
+   * @returns {boolean}
+   */
+  private isValidHost;
+  /**
+   * @private
+   * @param {{ [key: string]: string | undefined }} headers
    * @returns {boolean}
    */
-  private checkHeader;
+  private isSameOrigin;
   /**
    * @param {ClientConnection[]} clients
    * @param {string} type