Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve localhost checking in checkHost #903

Closed
mocheng opened this issue May 5, 2017 · 4 comments
Closed

Improve localhost checking in checkHost #903

mocheng opened this issue May 5, 2017 · 4 comments

Comments

@mocheng
Copy link

mocheng commented May 5, 2017

What is the current behavior?
In 0.16.4, webpack-dev-server introduced host checking #887 . Even though localhost and 127.0.0.1 is by default exempt from host checking, it still brings trouble to local development.

In our team, our local environment host is localhost.xxxx.com to share cookie with domain xxxx.com. But, localhost.xxxx.com is not taken as localhost.

What is the expected behavior?
It would be better to have localhost checking with regex.

Just change

webpack-dev-server/lib/Server.js

Line 412 in 2957853

if(hostname === "127.0.0.1" || hostname === "localhost") return true;
to be like

	// always allow localhost host, for convience
	if(hostname === "127.0.0.1" || hostname.test(/localhost/)) return true;

I know there is a disableHostCheck option to web-dev-server. However, we're not directly depending on webpack-dev-server, but on react-server which controls options to webpack-dev-server. So, an improved localhost checking is preferred.
Thanks.
@edmorley
Copy link

edmorley commented May 5, 2017
edited
Loading

This would unfortunately defeat the newly added security measure. An attacker would just make sure the string "localhost" was present (eg <hash>.localhost.evilsite.com), thereby meaning DNS rebinding attacks were still possible per #887.

@orteth01
Copy link
Contributor

orteth01 commented May 5, 2017

if #899 is accepted and merged you'll be able to just add your domain to the allowed hosts!

devServer: {
    allowedHosts: [
        'localhost.xxxx.com'
    ]
}

OR if you needed subdomains other than localhost you can just do

devServer: {
    allowedHosts: [
        '.xxxx.com'
    ]
}

mimicking django's ALLOWED_HOSTS, an allowedHosts value beginning with "." can be used as a subdomain wildcard. '.example.com' will match example.com, www.example.com, and any other subdomain of example.com.

@orteth01
Copy link
Contributor

orteth01 commented May 5, 2017
edited
Loading

just read the last paragraph of your issue and see you are not depending on webpack-dev-server directly. sorry! disregard above comment -__-

@shellscape
Copy link
Contributor

The recent versions of this module have extended support for checkHost which I believe addresses the concerns of the issue. Going to close for now. Please call me out if I'm mistaken.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@shellscape @mocheng @edmorley @orteth01