Add hostname option to mitigate DNS rebinding

This adds the `hostname` opt to allow the server to validate the `Host` header of incoming requests to prevent DNS rebinding attacks. Needed for https://github.com/brave/browser-laptop/issues/12616.
author: yan <yan@mit.edu> 2018-01-12 10:39:56 +0300
committer: yan <yan@mit.edu> 2018-01-12 10:39:56 +0300
commit: eea73a38ed8552c6a99cdd0dea5c9619dc955a21 (patch)
tree: 1990ef5645d4884a9c73c927f1b8df83a9a57293 /lib/server.js
parent: a7f8f71597621bccbe0630771cd4bbf3c398f171 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/lib/server.js b/lib/server.js
index be45ddc..d0f5716 100644
--- a/lib/server.js
+++ b/lib/server.js
@@ -51,6 +51,15 @@ function Server (torrent, opts) {
     // deny them
     if (req.headers.origin == null) return false
 
+    // If a 'hostname' string is specified, deny requests with a 'Host'
+    // header that does not match the origin of the torrent server to prevent
+    // DNS rebinding attacks.
+    if (opts.hostname) {
+      if (req.headers.host !== `${opts.hostname}:${server.address().port}`) {
+        return false
+      }
+    }
+
     // The user allowed all origins
     if (opts.origin === '*') return true
author	yan <yan@mit.edu>	2018-01-12 10:39:56 +0300
committer	yan <yan@mit.edu>	2018-01-12 10:39:56 +0300
commit	eea73a38ed8552c6a99cdd0dea5c9619dc955a21 (patch)
tree	1990ef5645d4884a9c73c927f1b8df83a9a57293 /lib/server.js
parent	a7f8f71597621bccbe0630771cd4bbf3c398f171 (diff)