Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

webpack-dev-server 为什么要加 Host Check #3

Open
fengzilong opened this issue Sep 20, 2019 · 0 comments
Open

webpack-dev-server 为什么要加 Host Check #3

fengzilong opened this issue Sep 20, 2019 · 0 comments
Labels
webpack

Comments

@fengzilong
Copy link
Owner

fengzilong commented Sep 20, 2019
edited
Loading

链接:https://webpack.js.org/configuration/dev-server/#devserverdisablehostcheck

场景

webpack-dev-server 有一个选项是 disableHostCheck,且默认开启 host check,同时 webpack 官方不建议将 devServer 的 disableHostCheck 设为 true,并提到了一个词 DNS rebinding attacks

那么什么是 DNS rebinding attacks 呢?

说明

以下是一些参考资料:

http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/
webpack/webpack-dev-server#887
https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a

简言之,攻击者将一个域名的 dns 绑到 127.0.0.1 上,同时将这个恶意站点链接发送给你,在知道你的 devServer 端口的情况下,这个恶意站点可以访问到 webpack 的构建产物(此种攻击不需要和你处于同一局域网),尤其是使用了 devServer proxy 的情况,甚至可以访问到内网的一些私有服务,加了 host check 之后就可以对发起请求的站点域名进行校验,避免恶意站点的 DNS rebinding attacks
@fengzilong fengzilong changed the title webpack disableHostCheck 设为 true 有什么安全隐患? webpack-dev-server 为什么要加 host check Sep 20, 2019
@fengzilong fengzilong changed the title webpack-dev-server 为什么要加 host check webpack-dev-server 为什么要加 Host Check Sep 23, 2019
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
webpack
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fengzilong