nodejs
diff --git a/Collapse file
‎lib/inspector.js‎
Copy file name to clipboardExpand all lines: lib/inspector.js
+13Lines changed: 13 additions & 0 deletions b/Collapse file
‎lib/inspector.js‎
Copy file name to clipboardExpand all lines: lib/inspector.js
+13Lines changed: 13 additions & 0 deletions
diff --git a/Collapse file
‎lib/internal/net.js‎
Copy file name to clipboardExpand all lines: lib/internal/net.js
+17Lines changed: 17 additions & 0 deletions b/Collapse file
‎lib/internal/net.js‎
Copy file name to clipboardExpand all lines: lib/internal/net.js
+17Lines changed: 17 additions & 0 deletions
diff --git a/Collapse file
‎test/parallel/test-inspector-host-warning.js‎
Copy file name to clipboard
+16Lines changed: 16 additions & 0 deletions b/Collapse file
‎test/parallel/test-inspector-host-warning.js‎
Copy file name to clipboard
+16Lines changed: 16 additions & 0 deletions
diff --git a/Collapse file
‎test/parallel/test-internal-net-isLoopback.js‎
Copy file name to clipboard
+32Lines changed: 32 additions & 0 deletions b/Collapse file
‎test/parallel/test-internal-net-isLoopback.js‎
Copy file name to clipboard
+32Lines changed: 32 additions & 0 deletions
@@ -18,6 +18,8 @@ const {
   ERR_INSPECTOR_NOT_WORKER,
 } = require('internal/errors').codes;
 
+const { isLoopback } = require('internal/net');
+
 const { hasInspector } = internalBinding('config');
 if (!hasInspector)
   throw new ERR_INSPECTOR_NOT_AVAILABLE();
@@ -172,6 +174,17 @@ function inspectorOpen(port, host, wait) {
   if (isUint32(port)) {
     validateInt32(port, 'port', 0, 65535);
   }
+  if (host && !isLoopback(host)) {
+    process.emitWarning(
+      'Binding the inspector to a public IP with an open port is insecure, ' +
+        'as it allows external hosts to connect to the inspector ' +
+        'and perform a remote code execution attack. ' +
+        'Documentation can be found at ' +
+      'https://nodejs.org/api/cli.html#--inspecthostport',
+      'SecurityWarning',
+    );
+  }
+
   open(port, host);
   if (wait)
     waitForDebugger();
 
@@ -68,11 +68,28 @@ function makeSyncWrite(fd) {
   };
 }
 
+/**
+ * https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
+ * https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+ * https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
+ */
+function isLoopback(host) {
+  const hostLower = host.toLowerCase();
+
+  return (
+    hostLower === 'localhost' ||
+    hostLower.startsWith('127.') ||
+    hostLower.startsWith('[::1]') ||
+    hostLower.startsWith('[0:0:0:0:0:0:0:1]')
+  );
+}
+
 module.exports = {
   kReinitializeHandle: Symbol('kReinitializeHandle'),
   isIP,
   isIPv4,
   isIPv6,
   makeSyncWrite,
   normalizedArgsSymbol: Symbol('normalizedArgs'),
+  isLoopback,
 };
@@ -0,0 +1,16 @@
+'use strict';
+
+const common = require('../common');
+common.skipIfInspectorDisabled();
+
+const inspector = require('inspector');
+inspector.open(0, '0.0.0.0', false);
+common.expectWarning(
+  'SecurityWarning',
+  'Binding the inspector to a public IP with an open port is insecure, ' +
+    'as it allows external hosts to connect to the inspector ' +
+    'and perform a remote code execution attack. ' +
+    'Documentation can be found at ' +
+    'https://nodejs.org/api/cli.html#--inspecthostport'
+);
+inspector.close();
@@ -0,0 +1,32 @@
+// Flags: --expose-internals
+'use strict';
+require('../common');
+const assert = require('assert');
+const net = require('internal/net');
+
+const loopback = [
+  'localhost',
+  '127.0.0.1',
+  '127.0.0.255',
+  '127.1.2.3',
+  '[::1]',
+  '[0:0:0:0:0:0:0:1]',
+];
+
+const loopbackNot = [
+  'example.com',
+  '192.168.1.1',
+  '10.0.0.1',
+  '255.255.255.255',
+  '[2001:db8::1]',
+  '[fe80::1]',
+  '8.8.8.8',
+];
+
+for (const address of loopback) {
+  assert.strictEqual(net.isLoopback(address), true);
+}
+
+for (const address of loopbackNot) {
+  assert.strictEqual(net.isLoopback(address), false);
+}