src: resolve TODO related to inspector CVEs

This was not done before the security release because the latest CVE was not known at the time. PR-URL: https://github.com/nodejs/node/pull/45341 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
author: Tobias Nießen <tniessen@tnie.de> 2022-11-07 01:08:59 +0300
committer: GitHub <noreply@github.com> 2022-11-07 01:08:59 +0300
commit: 7903f944ec385ef63c7fcc59872932a3926878b1 (patch)
tree: 5129d82a5832fd2bf47f6cce30bc664b4582f3cf
parent: e14321bb50be506231e395df36f555269668746e (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/src/inspector_socket.cc b/src/inspector_socket.cc
index 8001d893e1f..2c29ff04b25 100644
--- a/src/inspector_socket.cc
+++ b/src/inspector_socket.cc
@@ -162,11 +162,10 @@ static std::string TrimPort(const std::string& host) {
 }
 
 static bool IsIPAddress(const std::string& host) {
-  // TODO(tniessen): add CVEs to the following bullet points
   // To avoid DNS rebinding attacks, we are aware of the following requirements:
-  // * the host name must be an IP address,
-  // * the IP address must be routable, and
-  // * the IP address must be formatted unambiguously.
+  // * the host name must be an IP address (CVE-2018-7160, CVE-2022-32212),
+  // * the IP address must be routable (hackerone.com/reports/1632921), and
+  // * the IP address must be formatted unambiguously (CVE-2022-43548).
 
   // The logic below assumes that the string is null-terminated, so ensure that
   // we did not somehow end up with null characters within the string.
author	Tobias Nießen <tniessen@tnie.de>	2022-11-07 01:08:59 +0300
committer	GitHub <noreply@github.com>	2022-11-07 01:08:59 +0300
commit	7903f944ec385ef63c7fcc59872932a3926878b1 (patch)
tree	5129d82a5832fd2bf47f6cce30bc664b4582f3cf
parent	e14321bb50be506231e395df36f555269668746e (diff)