src: fix IPv4 validation in inspector_socket

tniessen · danielleadams · commit 754c9bfde06d · 2022-07-02T16:23:48.000-04:00
Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: nodejs-private/node-private#320 CVE-ID: CVE-2022-32212 Backport-PR-URL: nodejs-private/node-private#323
diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
@@ -164,14 +164,22 @@ static std::string TrimPort(const std::string& host) {
 static bool IsIPAddress(const std::string& host) {
   if (host.length() >= 4 && host.front() == '[' && host.back() == ']')
     return true;
-  int quads = 0;
+  uint_fast16_t accum = 0;
+  uint_fast8_t quads = 0;
+  bool empty = true;
+  auto endOctet = [&accum, &quads, &empty](bool final = false) {
+    return !empty && accum <= 0xff && ++quads <= 4 && final == (quads == 4) &&
+           (empty = true) && !(accum = 0);
+  };
   for (char c : host) {
-    if (c == '.')
-      quads++;
-    else if (!isdigit(c))
+    if (isdigit(c)) {
+      if ((accum = (accum * 10) + (c - '0')) > 0xff) return false;
+      empty = false;
+    } else if (c != '.' || !endOctet()) {
       return false;
+    }
   }
-  return quads == 3;
+  return endOctet(true);
 }
 
 // Constants for hybi-10 frame format.
diff --git a/test/cctest/test_inspector_socket.cc b/test/cctest/test_inspector_socket.cc
@@ -851,4 +851,78 @@ TEST_F(InspectorSocketTest, HostCheckedForUPGRADE) {
   expect_failure_no_delegate(UPGRADE_REQUEST);
 }
 
+TEST_F(InspectorSocketTest, HostIPChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 10.0.2.555:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostNegativeIPChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 10.0.-23.255:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpOctetOutOfIntRangeChecked) {
+  const std::string INVALID_HOST_IP_REQUEST =
+      "GET /json HTTP/1.1\r\n"
+      "Host: 127.0.0.4294967296:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpOctetFarOutOfIntRangeChecked) {
+  const std::string INVALID_HOST_IP_REQUEST =
+      "GET /json HTTP/1.1\r\n"
+      "Host: 127.0.0.18446744073709552000:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetStartChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: .0.0.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetMidChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 127..0.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpEmptyOctetEndChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 127.0.0.:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpTooFewOctetsChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 127.0.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
+TEST_F(InspectorSocketTest, HostIpTooManyOctetsChecked) {
+  const std::string INVALID_HOST_IP_REQUEST = "GET /json HTTP/1.1\r\n"
+                                              "Host: 127.0.0.0.1:9229\r\n\r\n";
+  send_in_chunks(INVALID_HOST_IP_REQUEST.c_str(),
+                 INVALID_HOST_IP_REQUEST.length());
+  expect_handshake_failure();
+}
+
 }  // anonymous namespace
