Merge branch 'webpack:master' into publicPath-output

Author: adubrouski

.github/workflows/dependency-review.yml

@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repository"
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@v4

lib/Server.js

@@ -437,8 +437,9 @@ class Server {
           return network.address;
         });
 
-      for (const network of networks) {
-        host = network.address;
+      if (networks.length > 0) {
+        // Take the first network found
+        host = networks[0].address;
 
         if (host.includes(":")) {
           host = `[${host}]`;
@@ -1960,7 +1961,7 @@ class Server {
           (req.headers);
         const headerName = headers[":authority"] ? ":authority" : "host";
 
-        if (this.checkHeader(headers, headerName)) {
+        if (this.checkHeader(headers, headerName, true)) {
           next();
           return;
         }
@@ -1970,6 +1971,32 @@ class Server {
       },
     });
 
+    // Register setup cross origin request check for security
+    middlewares.push({
+      name: "cross-origin-header-check",
+      /**
+       * @param {Request} req
+       * @param {Response} res
+       * @param {NextFunction} next
+       * @returns {void}
+       */
+      middleware: (req, res, next) => {
+        const headers =
+          /** @type {{ [key: string]: string | undefined }} */
+          (req.headers);
+        if (
+          headers["sec-fetch-mode"] === "no-cors" &&
+          headers["sec-fetch-site"] === "cross-site"
+        ) {
+          res.statusCode = 403;
+          res.end("Cross-Origin request blocked");
+          return;
+        }
+
+        next();
+      },
+    });
+
     const isHTTP2 =
       /** @type {ServerConfiguration<A, S>} */ (this.options.server).type ===
       "http2";
@@ -2641,8 +2668,8 @@ class Server {
 
         if (
           !headers ||
-          !this.checkHeader(headers, "host") ||
-          !this.checkHeader(headers, "origin")
+          !this.checkHeader(headers, "host", true) ||
+          !this.checkHeader(headers, "origin", false)
         ) {
           this.sendMessage([client], "error", "Invalid Host/Origin header");
 
@@ -3095,9 +3122,10 @@ class Server {
    * @private
    * @param {{ [key: string]: string | undefined }} headers
    * @param {string} headerToCheck
+   * @param {boolean} allowIP
    * @returns {boolean}
    */
-  checkHeader(headers, headerToCheck) {
+  checkHeader(headers, headerToCheck, allowIP) {
     // allow user to opt out of this security check, at their own risk
     // by explicitly enabling allowedHosts
     if (this.options.allowedHosts === "all") {
@@ -3124,7 +3152,10 @@ class Server {
       true,
     ).hostname;
 
-    // always allow requests with explicit IPv4 or IPv6-address.
+    // allow requests with explicit IPv4 or IPv6-address if allowIP is true.
+    // Note that IP should not be automatically allowed for Origin headers,
+    // otherwise an untrusted remote IP host can send requests.
+    //
     // A note on IPv6 addresses:
     // hostHeader will always contain the brackets denoting
     // an IPv6-address in URLs,
@@ -3134,8 +3165,9 @@ class Server {
     // and its subdomains (hostname.endsWith(".localhost")).
     // allow hostname of listening address  (hostname === this.options.host)
     const isValidHostname =
-      (hostname !== null && ipaddr.IPv4.isValid(hostname)) ||
-      (hostname !== null && ipaddr.IPv6.isValid(hostname)) ||
+      (allowIP &&
+        hostname !== null &&
+        (ipaddr.IPv4.isValid(hostname) || ipaddr.IPv6.isValid(hostname))) ||
       hostname === "localhost" ||
       (hostname !== null && hostname.endsWith(".localhost")) ||
       hostname === this.options.host;

test/cli/host-option.test.js

@@ -1,5 +1,6 @@
 "use strict";
 
+const os = require("os");
 const { testBin, normalizeStderr } = require("../helpers/test-bin");
 const port = require("../ports-map")["cli-host"];
 const Server = require("../../lib/Server");
@@ -116,6 +117,127 @@ describe('"host" CLI option', () => {
     expect(normalizeStderr(stderr)).toMatchSnapshot("stderr");
   });
 
+  it('should work using "--host local-ip" take the first network found', async () => {
+    const { exitCode, stderr } = await testBin([
+      "--port",
+      port,
+      "--host",
+      "local-ip",
+    ]);
+
+    expect(exitCode).toEqual(0);
+    jest.spyOn(os, "networkInterfaces").mockImplementation(() => {
+      return {
+        lo: [
+          {
+            address: "127.0.0.1",
+            netmask: "255.0.0.0",
+            family: "IPv4",
+            mac: "00:00:00:00:00:00",
+            internal: true,
+            cidr: "127.0.0.1/8",
+          },
+          {
+            address: "::1",
+            netmask: "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
+            family: "IPv6",
+            mac: "00:00:00:00:00:00",
+            internal: true,
+            cidr: "::1/128",
+            scopeid: 0,
+          },
+        ],
+        enp6s0: [
+          {
+            address: "192.168.1.15",
+            netmask: "255.255.255.0",
+            family: "IPv4",
+            mac: "50:eb:f6:97:9f:6f",
+            internal: false,
+            cidr: "192.168.1.15/24",
+          },
+          {
+            address: "2a01:cb0c:1623:6800:4ff8:723c:1a4b:fe5d",
+            netmask: "ffff:ffff:ffff:ffff::",
+            family: "IPv6",
+            mac: "50:eb:f6:97:9f:6f",
+            internal: false,
+            cidr: "2a01:cb0c:1623:6800:4ff8:723c:1a4b:fe5d/64",
+            scopeid: 0,
+          },
+          {
+            address: "2a01:cb0c:1623:6800:9acc:408c:ee87:27cf",
+            netmask: "ffff:ffff:ffff:ffff::",
+            family: "IPv6",
+            mac: "50:eb:f6:97:9f:6f",
+            internal: false,
+            cidr: "2a01:cb0c:1623:6800:9acc:408c:ee87:27cf/64",
+            scopeid: 0,
+          },
+          {
+            address: "fe80::bf2a:e5e2:8f9:4336",
+            netmask: "ffff:ffff:ffff:ffff::",
+            family: "IPv6",
+            mac: "50:eb:f6:97:9f:6f",
+            internal: false,
+            cidr: "fe80::bf2a:e5e2:8f9:4336/64",
+            scopeid: 2,
+          },
+        ],
+        "br-9bb0264f9b1c": [
+          {
+            address: "172.19.0.1",
+            netmask: "255.255.0.0",
+            family: "IPv4",
+            mac: "02:42:e4:c8:6e:5f",
+            internal: false,
+            cidr: "172.19.0.1/16",
+          },
+          {
+            address: "fe80::42:e4ff:fec8:6e5f",
+            netmask: "ffff:ffff:ffff:ffff::",
+            family: "IPv6",
+            mac: "02:42:e4:c8:6e:5f",
+            internal: false,
+            cidr: "fe80::42:e4ff:fec8:6e5f/64",
+            scopeid: 4,
+          },
+        ],
+        "br-a52e5d90701f": [
+          {
+            address: "172.18.0.1",
+            netmask: "255.255.0.0",
+            family: "IPv4",
+            mac: "02:42:f6:7e:a2:45",
+            internal: false,
+            cidr: "172.18.0.1/16",
+          },
+          {
+            address: "fe80::42:f6ff:fe7e:a245",
+            netmask: "ffff:ffff:ffff:ffff::",
+            family: "IPv6",
+            mac: "02:42:f6:7e:a2:45",
+            internal: false,
+            cidr: "fe80::42:f6ff:fe7e:a245/64",
+            scopeid: 5,
+          },
+        ],
+        docker0: [
+          {
+            address: "172.17.0.1",
+            netmask: "255.255.0.0",
+            family: "IPv4",
+            mac: "02:42:3e:89:61:cf",
+            internal: false,
+            cidr: "172.17.0.1/16",
+          },
+        ],
+      };
+    });
+    expect(stderr.indexOf("172.17.0.1") === -1);
+    expect(stderr.indexOf("192.168.1.15") > -1);
+  });
+
   it('should work using "--host local-ipv4"', async () => {
     const { exitCode, stderr } = await testBin([
       "--port",

test/e2e/__snapshots__/allowed-hosts.test.js.snap.webpack5

@@ -282,6 +282,32 @@ exports[`allowed hosts should disconnect web client using localhost to web socke
 
 exports[`allowed hosts should disconnect web client using localhost to web socket server with the "auto" value ("ws"): page errors 1`] = `[]`;
 
+exports[`allowed hosts should disconnect web client with origin header containing an IP address with the "auto" value ("sockjs"): console messages 1`] = `
+[
+  "[webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled.",
+  "[HMR] Waiting for update signal from WDS...",
+  "Hey.",
+  "[webpack-dev-server] Invalid Host/Origin header",
+  "[webpack-dev-server] Disconnected!",
+  "[webpack-dev-server] Trying to reconnect...",
+]
+`;
+
+exports[`allowed hosts should disconnect web client with origin header containing an IP address with the "auto" value ("sockjs"): page errors 1`] = `[]`;
+
+exports[`allowed hosts should disconnect web client with origin header containing an IP address with the "auto" value ("ws"): console messages 1`] = `
+[
+  "[webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled.",
+  "[HMR] Waiting for update signal from WDS...",
+  "Hey.",
+  "[webpack-dev-server] Invalid Host/Origin header",
+  "[webpack-dev-server] Disconnected!",
+  "[webpack-dev-server] Trying to reconnect...",
+]
+`;
+
+exports[`allowed hosts should disconnect web client with origin header containing an IP address with the "auto" value ("ws"): page errors 1`] = `[]`;
+
 exports[`allowed hosts should disconnect web socket client using custom hostname from web socket server with the "auto" value based on the "host" header ("sockjs"): console messages 1`] = `
 [
   "[webpack-dev-server] Server started: Hot Module Replacement enabled, Live Reloading enabled, Progress disabled, Overlay enabled.",

test/e2e/allowed-hosts.test.js

@@ -1206,6 +1206,86 @@ describe("allowed hosts", () => {
         await server.stop();
       }
     });
+
+    it(`should disconnect web client with origin header containing an IP address with the "auto" value ("${webSocketServer}")`, async () => {
+      const devServerHost = "127.0.0.1";
+      const devServerPort = port1;
+      const proxyHost = devServerHost;
+      const proxyPort = port2;
+
+      const compiler = webpack(config);
+      const devServerOptions = {
+        client: {
+          webSocketURL: {
+            port: port2,
+          },
+        },
+        webSocketServer,
+        port: devServerPort,
+        host: devServerHost,
+        allowedHosts: "auto",
+      };
+      const server = new Server(devServerOptions, compiler);
+
+      await server.start();
+
+      function startProxy(callback) {
+        const app = express();
+
+        app.use(
+          "/",
+          createProxyMiddleware({
+            // Emulation
+            onProxyReqWs: (proxyReq) => {
+              proxyReq.setHeader("origin", "http://192.168.1.1/");
+            },
+            target: `http://${devServerHost}:${devServerPort}`,
+            ws: true,
+            changeOrigin: true,
+            logLevel: "warn",
+          }),
+        );
+
+        return app.listen(proxyPort, proxyHost, callback);
+      }
+
+      const proxy = await new Promise((resolve) => {
+        const proxyCreated = startProxy(() => {
+          resolve(proxyCreated);
+        });
+      });
+
+      const { page, browser } = await runBrowser();
+
+      try {
+        const pageErrors = [];
+        const consoleMessages = [];
+
+        page
+          .on("console", (message) => {
+            consoleMessages.push(message);
+          })
+          .on("pageerror", (error) => {
+            pageErrors.push(error);
+          });
+
+        await page.goto(`http://${proxyHost}:${proxyPort}/`, {
+          waitUntil: "networkidle0",
+        });
+
+        expect(
+          consoleMessages.map((message) => message.text()),
+        ).toMatchSnapshot("console messages");
+        expect(pageErrors).toMatchSnapshot("page errors");
+      } catch (error) {
+        throw error;
+      } finally {
+        proxy.close();
+
+        await browser.close();
+        await server.stop();
+      }
+    });
   }
 
   describe("check host headers", () => {