Skip to content

doc: inspector security warning for changing host to a public IP#23640

Closed
ChALkeR wants to merge 3 commits intonodejs:masterfrom
ChALkeR:inspect-security-doc
Closed

doc: inspector security warning for changing host to a public IP#23640
ChALkeR wants to merge 3 commits intonodejs:masterfrom
ChALkeR:inspect-security-doc

Conversation

@ChALkeR
Copy link
Member

@ChALkeR ChALkeR commented Oct 13, 2018
edited
Loading

This is the documentation part of #23444.

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • documentation is changed or added
  • commit message follows commit guidelines

/cc @nodejs/documentation @nodejs/security-wg

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Oct 13, 2018

@ChALkeR build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1229/pipeline

@nodejs-github-bot nodejs-github-bot added the doc Issues and PRs related to the documentations. label Oct 13, 2018
@ChALkeR ChALkeR force-pushed the inspect-security-doc branch from c48bfaa to e552d34 Compare October 13, 2018 16:48
@ChALkeR ChALkeR added security Issues and PRs related to security. inspector Issues and PRs related to the V8 inspector protocol labels Oct 13, 2018
ofrobots
ofrobots reviewed Oct 13, 2018
View reviewed changes
doc/api/cli.md Outdated
Copy link
Contributor

@ofrobots ofrobots Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worthwhile linking to this page that talks about things in more detail: https://nodejs.org/en/docs/guides/debugging-getting-started/#security-implications

Copy link
Member Author

@ChALkeR ChALkeR Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks!

Copy link
Contributor

@thefourtheye thefourtheye Oct 15, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Specifically typo

sam-github
sam-github reviewed Oct 13, 2018
View reviewed changes
doc/api/cli.md Outdated
Copy link
Contributor

@sam-github sam-github Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"anyone of the outside" isn't grammatically correct - perhaps "as it allows other hosts to connect to the inspector"

Copy link
Member Author

@ChALkeR ChALkeR Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, with s/other/third-party/.

sam-github
sam-github reviewed Oct 13, 2018
View reviewed changes
doc/api/cli.md Outdated
Copy link
Contributor

@sam-github sam-github Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/IP/host/ - use the same word in both places

Copy link
Member Author

@ChALkeR ChALkeR Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks!

@ChALkeR ChALkeR force-pushed the inspect-security-doc branch from e552d34 to 9897f34 Compare October 13, 2018 17:36
addaleax
addaleax approved these changes Oct 13, 2018
View reviewed changes
doc/api/cli.md Outdated
Copy link
Member

@addaleax addaleax Oct 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security warning about providing a different `host` , or something similar to the added text in the other file? That would give people an indication about the circumstances in which there are security concerns upfront

Copy link
Member Author

@ChALkeR ChALkeR Oct 13, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to

See the security warning below regarding the host parameter usage.

and

See the security warning regarding the host parameter usage.

in two files.

Thanks!

@ChALkeR ChALkeR force-pushed the inspect-security-doc branch from 9897f34 to 825dbdb Compare October 13, 2018 19:23
@ChALkeR ChALkeR mentioned this pull request Oct 13, 2018
Closed
thefourtheye
thefourtheye approved these changes Oct 15, 2018
View reviewed changes
doc/api/cli.md Outdated
#### Warning: binding inspector to a public IP:port combination is insecure

Binding the inspector to a public IP (including `0.0.0.0`) with an open port is
insecure, as it allows third-party hosts to connect to the inspector and perform
Copy link
Contributor

@thefourtheye thefourtheye Oct 15, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't external hosts be better than third-party here? We don't even have a second party here.

Copy link
Member Author

@ChALkeR ChALkeR Oct 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will fix, thanks!

doc/api/cli.md Outdated
Copy link
Contributor

@thefourtheye thefourtheye Oct 15, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Specifically typo

@Trott
Copy link
Member

Trott commented Nov 6, 2018

Lite CI: https://ci.nodejs.org/job/node-test-pull-request-lite-pipeline/1506/

@Trott Trott added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Nov 6, 2018
@Trott
Copy link
Member

Trott commented Nov 6, 2018

Landed in 90be286

@Trott Trott closed this Nov 6, 2018
Trott pushed a commit to Trott/io.js that referenced this pull request Nov 6, 2018
@ChALkeR @Trott
doc: inspector security warning for changing host
90be286 
Refs: nodejs#23444
Refs: nodejs#21774

PR-URL: nodejs#23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
targos pushed a commit that referenced this pull request Nov 6, 2018
@ChALkeR @targos
doc: inspector security warning for changing host
8642eac 
Refs: #23444
Refs: #21774

PR-URL: #23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
@BridgeAR BridgeAR mentioned this pull request Nov 14, 2018
Merged
This was referenced Nov 15, 2018
Closed
Closed
This was referenced Nov 15, 2018
Closed
Closed
Closed
Closed
codebytere pushed a commit that referenced this pull request Nov 29, 2018
@ChALkeR @codebytere
doc: inspector security warning for changing host
bbed685 
Refs: #23444
Refs: #21774

PR-URL: #23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
MylesBorins pushed a commit that referenced this pull request Nov 29, 2018
@ChALkeR @MylesBorins
doc: inspector security warning for changing host
a77dc9a 
Refs: #23444
Refs: #21774

PR-URL: #23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
@codebytere codebytere mentioned this pull request Nov 29, 2018
Merged
MylesBorins pushed a commit that referenced this pull request Dec 3, 2018
@ChALkeR @MylesBorins
doc: inspector security warning for changing host
7f1e0e5 
Refs: #23444
Refs: #21774

PR-URL: #23640
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@addaleax addaleax addaleax approved these changes

@cjihrig cjihrig cjihrig approved these changes

@gireeshpunathil gireeshpunathil gireeshpunathil approved these changes

+4 more reviewers

@ofrobots ofrobots ofrobots left review comments

@sam-github sam-github sam-github approved these changes

@eugeneo eugeneo eugeneo approved these changes

@thefourtheye thefourtheye thefourtheye approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. doc Issues and PRs related to the documentations. inspector Issues and PRs related to the V8 inspector protocol security Issues and PRs related to security.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.