Core: Replace ip function with a small helper function to address security concerns #26073
Conversation
|
Removed dependencies detected. Learn more about Socket for GitHub 鈫楋笌 馃毊 Removed packages: npm/@types/ip@1.1.3 |
|
waiting for this PR to be merged ASAP ! |
| const allIps = Object.values(os.networkInterfaces()).flat(); | ||
| const allFilteredIps = allIps.filter((ip) => ip && ip.family === 'IPv4' && !ip.internal); | ||
|
|
||
| return allFilteredIps.length ? allFilteredIps[0]?.address : '127.0.0.1'; |
There was a problem hiding this comment.
Isn't 0.0.0.0 better suited for the else part?
There was a problem hiding this comment.
Good point. I've changed this to 0.0.0.0.
| const allIps = Object.values(os.networkInterfaces()).flat(); | ||
| const allFilteredIps = allIps.filter((ip) => ip && ip.family === 'IPv4' && !ip.internal); | ||
|
|
||
| return allFilteredIps.length ? allFilteredIps[0]?.address : '0.0.0.0'; |
There was a problem hiding this comment.
I am curious whether returning 0.0.0.0 makes sense. Can the Storybook server be reached in the browser when 0.0.0.0 is used? If not, I would rather return null/undefined and handle it appropriately in the getServerAddresses function. It should return networkAddress: undefined. In this case, the network address shouldn't be logged at all to the user's console, after the server starts.
There was a problem hiding this comment.
I'm not sure which returned value is better. The Storybook server is reachable via 0.0.0.0 in my browsers. Maybe it also depends on how to interpret 'On your network' in the log.
|
@cosieLq Thank you so much for your contribution! But I think we can close this. It seems that the security vulnerability was resolved in |
|
Superseded by #26086 |
Sure! But I sort of agree with the suggestion from #26025 . Since Storybook uses only part of one function from |
|
FYI, |
|
FYI, the usage here is not affected by CVE-2023-42282, because your network interface will not provide malformed addresses. However, the current implementation of the |
|
Since we have again a security issue with ip (see CVE-2024-29415), wouldn't be the time to re-open this PR to definitively get rid off this lib ? |
Closes #26014
What I did
I've listened to the suggestion from #26025 and added a small helper function to replace
ip.address, so that we can remove the insecure package ip. What the helper function does is essentially the same asip.address: it returns the first remotely accessible IPv4 address or otherwise the loopback.Checklist for Contributors
Testing
The changes in this PR are covered in the following automated tests:
Manual testing
This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!
Documentation
MIGRATION.MD
Checklist for Maintainers
When this PR is ready for testing, make sure to add
ci:normal,ci:mergedorci:dailyGH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found incode/lib/cli/src/sandbox-templates.tsMake sure this PR contains one of the labels below:
Available labels
bug: Internal changes that fixes incorrect behavior.maintenance: User-facing maintenance tasks.dependencies: Upgrading (sometimes downgrading) dependencies.build: Internal-facing build tooling & test updates. Will not show up in release changelog.cleanup: Minor cleanup style change. Will not show up in release changelog.documentation: Documentation only changes. Will not show up in release changelog.feature request: Introducing a new feature.BREAKING CHANGE: Changes that break compatibility in some way with current major version.other: Changes that don't fit in the above categories.馃 Canary release
This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the
@storybookjs/coreteam here.core team members can create a canary release here or locally with
gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>