inspector: added --inspect-publish-uid #27741
Conversation
nodejs-github-bot
added
c++
alexkozy
force-pushed
the
inspect-publish-uid
branch
2 times, most recently
from
379d809 to
5070b54
Compare
|
I addressed comments and added another option - |
IMHO, that's unnecessary. Code that can access inspector API can already do pretty much anything. |
eugeneo
left a comment
eugeneo
left a comment
There was a problem hiding this comment.
Approved modulo other review comments.
alexkozy
force-pushed
the
inspect-publish-uid
branch
from
5070b54 to
d48d6b4
Compare
I removed |
I think that would warrant more discussions. I do not see utility of disabling the bindings. It would not help with the security (JS bindings are only accessible from inside the Node runtime). My main concern is that people would disable JS bindings "for security" and end up confused why some ecosystem tools stop working. |
alexkozy
force-pushed
the
inspect-publish-uid
branch
from
d48d6b4 to
177866f
Compare
Imagine for a second compromised In general if I can inject some code to Node process using compromised dependency or some other way, I get access to part of JS heap but not to everything. As soon as I can use inspector in this snippet - I get access to everything.
If people need some tool to work then they need to allow inspection. And some ecosystem tool can easily check that inspection flag was not passed and ask user to pass it - it is not a big deal. |
|
I need to fix a test first. |
OK, thanks! I've added the |
alexkozy
force-pushed
the
inspect-publish-uid
branch
from
177866f to
7129b9e
Compare
alexkozy
force-pushed
the
inspect-publish-uid
branch
from
7129b9e to
106f4bf
Compare
This flag specifies how inspector websocket url should be reported.
Tthre options are supported:
- stderr - reports websocket as a message to stderr,
- http - exposes /json/list endpoint that contains inspector websocket
url,
- binding - require('inspector').url().
Related discussion: nodejs/diagnostics#303
alexkozy
force-pushed
the
inspect-publish-uid
branch
from
106f4bf to
ccc51ca
Compare
|
Landed in f0018a5 |
This flag specifies how inspector websocket url should be reported.
Tthre options are supported:
- stderr - reports websocket as a message to stderr,
- http - exposes /json/list endpoint that contains inspector websocket
url,
- binding - require('inspector').url().
Related discussion: nodejs/diagnostics#303
PR-URL: #27741
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
This flag specifies how inspector websocket url should be reported.
Tthre options are supported:
- stderr - reports websocket as a message to stderr,
- http - exposes /json/list endpoint that contains inspector websocket
url,
- binding - require('inspector').url().
Related discussion: nodejs/diagnostics#303
PR-URL: #27741
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
| - `--inspect` | ||
| - `--inspect-brk` | ||
| - `--inspect-port` | ||
| - `--inspect-publish-uid` |
There was a problem hiding this comment.
This should also be documented in ./doc/node.1.
|
Should this actually be semver-minor? |
BridgeAR
added
the
semver-minor
|
@BridgeAR this pull request does not change default behavior so I believe we do not need |
|
@ak239 if it would change the default, I'd expect it to be semver-major? We normally declare all new features as semver-minor. |
|
@BridgeAR I see, thank you for clarification. It is new feature so |
Notable changes:
This release contains `semver-major` commits. These are in fact not
`semver-major` due to follow-up commits that remove all breaking changes.
* build:
* The startup time is reduced by enabling V8 snapshots by default
#28181
* deps:
* Updated `V8` to 7.5.288.22 #27375
* The numeric separator (v8.dev/features/numeric-separators) feature is now
enabled by default
* Updated `OpenSSL` to 1.1.1c #28211
* inspector:
* The `--inspect-publish-uid` flag was added to specify ways of the inspector
web socket url exposure #27741
* n-api:
* Accessors on napi_define_* are now ECMAScript-compliant
#27851
* report:
* The cpu info got added to the report output
#28188
* src:
* Restore the original state of the stdio file descriptors on exit to prevent
leaving stdio in raw or non-blocking mode
#24260
* tools,gyp:
* Introduce MSVS 2019 #27375
* util:
* inspect:
* Array grouping became more compact and uses more columns than before
#28059
#28070
* Long strings will not be split at 80 characters anymore. Instead they will
be split on new lines #28055
* worker:
* `worker.terminate()` now returns a promise and using the callback is
deprecated #28021
PR-URL: #28268
Notable changes:
* build:
* The startup time is reduced by enabling V8 snapshots by default
#28181
* deps:
* Updated `V8` to 7.5.288.22 #27375
* The numeric separator (v8.dev/features/numeric-separators) feature is now
enabled by default
* Updated `OpenSSL` to 1.1.1c #28211
* inspector:
* The `--inspect-publish-uid` flag was added to specify ways of the inspector
web socket url exposure #27741
* n-api:
* Accessors on napi_define_* are now ECMAScript-compliant
#27851
* report:
* The cpu info got added to the report output
#28188
* src:
* Restore the original state of the stdio file descriptors on exit to prevent
leaving stdio in raw or non-blocking mode
#24260
* tools,gyp:
* Introduce MSVS 2019 #27375
* util:
* inspect:
* Array grouping became more compact and uses more columns than before
#28059
#28070
* Long strings will not be split at 80 characters anymore. Instead they will
be split on new lines #28055
* worker:
* `worker.terminate()` now returns a promise and using the callback is
deprecated #28021
PR-URL: #28268
Notable changes:
* build:
* The startup time is reduced by enabling V8 snapshots by default
#28181
* deps:
* Updated `V8` to 7.5.288.22 #27375
* The numeric separator (v8.dev/features/numeric-separators) feature is now
enabled by default
* Updated `OpenSSL` to 1.1.1c #28211
* inspector:
* The `--inspect-publish-uid` flag was added to specify ways of the inspector
web socket url exposure #27741
* n-api:
* Accessors on napi_define_* are now ECMAScript-compliant
#27851
* report:
* The cpu info got added to the report output
#28188
* src:
* Restore the original state of the stdio file descriptors on exit to prevent
leaving stdio in raw or non-blocking mode
#24260
* tools,gyp:
* Introduce MSVS 2019 #27375
* util:
* inspect:
* Array grouping became more compact and uses more columns than before
#28059
#28070
* Long strings will not be split at 80 characters anymore. Instead they will
be split on new lines #28055
* worker:
* `worker.terminate()` now returns a promise and using the callback is
deprecated #28021
PR-URL: #28268
Notable changes:
* build:
* The startup time is reduced by enabling V8 snapshots by default
#28181
* deps:
* Updated `V8` to 7.5.288.22 #27375
* The numeric separator (v8.dev/features/numeric-separators) feature is now
enabled by default
* Updated `OpenSSL` to 1.1.1c #28211
* inspector:
* The `--inspect-publish-uid` flag was added to specify ways of the inspector
web socket url exposure #27741
* n-api:
* Accessors on napi_define_* are now ECMAScript-compliant
#27851
* report:
* The cpu info got added to the report output
#28188
* src:
* Restore the original state of the stdio file descriptors on exit to prevent
leaving stdio in raw or non-blocking mode
#24260
* tools,gyp:
* Introduce MSVS 2019 #27375
* util:
* inspect:
* Array grouping became more compact and uses more columns than before
#28059
#28070
* Long strings will not be split at 80 characters anymore. Instead they will
be split on new lines #28055
* worker:
* `worker.terminate()` now returns a promise and using the callback is
deprecated #28021
PR-URL: #28268
Notable changes:
* build:
* The startup time is reduced by enabling V8 snapshots by default
nodejs#28181
* deps:
* Updated `V8` to 7.5.288.22 nodejs#27375
* The numeric separator (v8.dev/features/numeric-separators) feature is now
enabled by default
* Updated `OpenSSL` to 1.1.1c nodejs#28211
* inspector:
* The `--inspect-publish-uid` flag was added to specify ways of the inspector
web socket url exposure nodejs#27741
* n-api:
* Accessors on napi_define_* are now ECMAScript-compliant
nodejs#27851
* report:
* The cpu info got added to the report output
nodejs#28188
* src:
* Restore the original state of the stdio file descriptors on exit to prevent
leaving stdio in raw or non-blocking mode
nodejs#24260
* tools,gyp:
* Introduce MSVS 2019 nodejs#27375
* util:
* inspect:
* Array grouping became more compact and uses more columns than before
nodejs#28059
nodejs#28070
* Long strings will not be split at 80 characters anymore. Instead they will
be split on new lines nodejs#28055
* worker:
* `worker.terminate()` now returns a promise and using the callback is
deprecated nodejs#28021
PR-URL: nodejs#28268
8 participants
This flag specifies how inspector websocket url should be exposed.
Supported options:
url,
require('inspector').url().Related discussion: nodejs/diagnostics#303
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes