Skip to content

remove direct ip/port bypass in dev origin check #77414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 23, 2025
+5 −29
Merged

remove direct ip/port bypass in dev origin check #77414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 2 additions & 16 deletions packages/next/src/server/lib/router-server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,15 +323,7 @@ export async function initialize(opts: {

// handle hot-reloader first
if (developmentBundler) {
if (
blockCrossSite(
req,
res,
config.allowedDevOrigins,
opts.hostname,
`${opts.port}`
)
) {
if (blockCrossSite(req, res, config.allowedDevOrigins, opts.hostname)) {
return
}
const origUrl = req.url || '/'
Expand Down Expand Up @@ -698,13 +690,7 @@ export async function initialize(opts: {

if (opts.dev && developmentBundler && req.url) {
if (
blockCrossSite(
req,
socket,
config.allowedDevOrigins,
opts.hostname,
`${opts.port}`
)
blockCrossSite(req, socket, config.allowedDevOrigins, opts.hostname)
) {
return
}
Expand Down
16 changes: 3 additions & 13 deletions packages/next/src/server/lib/router-utils/block-cross-site.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
import type { Duplex } from 'stream'
import type { IncomingMessage, ServerResponse } from 'webpack-dev-server'
import { parseUrl } from '../../../lib/url'
import net from 'net'
import { warnOnce } from '../../../build/output/log'
import { isCsrfOriginAllowed } from '../../app-render/csrf-protection'

Expand Down Expand Up @@ -36,8 +35,7 @@ export const blockCrossSite = (
req: IncomingMessage,
res: ServerResponse | Duplex,
allowedDevOrigins: string[] | undefined,
hostname: string | undefined,
activePort: string
hostname: string | undefined
): boolean => {
// in the future, these will be blocked by default when allowed origins aren't configured.
// for now, we warn when allowed origins aren't configured
Expand All @@ -52,7 +50,7 @@ export const blockCrossSite = (
allowedOrigins.push(hostname)
}

// only process _next URLs when
// only process _next URLs
if (!req.url?.includes('/_next')) {
return false
}
Expand All @@ -73,16 +71,8 @@ export const blockCrossSite = (

if (parsedOrigin) {
const originLowerCase = parsedOrigin.hostname.toLowerCase()
const isMatchingPort = parsedOrigin.port === activePort
const isIpRequest =
net.isIPv4(originLowerCase) || net.isIPv6(originLowerCase)

if (
// allow requests if direct IP and matching port and
// allow if any of the allowed origins match
!(isIpRequest && isMatchingPort) &&
!isCsrfOriginAllowed(originLowerCase, allowedOrigins)
) {
if (!isCsrfOriginAllowed(originLowerCase, allowedOrigins)) {
return warnOrBlockRequest(res, originLowerCase, mode)
}
}
Expand Down
Loading