Listening on all IP addresses after update to @4

[ojab]

• This is a bug
• This is a modification request

Code

I can craft minimal reproducer if needed, but hopefully it's not needed.

Please paste the results of webpack-cli info here, and mention other relevant information

  System:
    OS: Linux 5.13 undefined
    CPU: (8) x64 AMD Ryzen 5 2400G with Radeon Vega Graphics
    Memory: 382.79 MB / 29.33 GB
  Binaries:
    Node: 16.0.0 - ~/.nvm/versions/node/v16.0.0/bin/node
    Yarn: 1.22.5 - ~/.yarn/bin/yarn
    npm: 7.10.0 - ~/.nvm/versions/node/v16.0.0/bin/npm
  Browsers:
    Firefox: 89.0.2
  Packages:
    fork-ts-checker-webpack-plugin: >= 6.3.1 => 6.3.2 
    html-webpack-harddisk-plugin: >= 2.0.0 => 2.0.0 
    html-webpack-plugin: >= 5.3.2 => 5.3.2 
    monaco-editor-webpack-plugin: >= 4.1.1 => 4.1.1 
    webpack: >= 5.11.0 => 5.49.0 
    webpack-cli: >= 4.2.0 => 4.7.2 
    webpack-dev-server: >= 4.0.0-rc.0 => 4.0.0-rc.0 

Expected Behavior

webpack-dev-server listens on localhost addresses

Actual Behavior

webpack-dev-server listens on all addresses

For Bugs; How can we reproduce the behavior?

I suspect it's caused by #2869 and it's intentional. In my case (external local IP) it means that when I start webpack-dev-server — it's exposed to the internet on well-known port 8080 and in a minute or so there are bot scans.
While it produces Invalid Host header in browser, curl -H 'Host: localhost' ojab.ru:8080 shows directory listing.

It's unexpected and dangerous, for example right now security issues in webpack-dev-server deps are not counted as a real security issues because there is an expectation that it's accessible only by developer themself, but this is opt-out behavior now.
Developer tools shouldn't be accessible by anyone via network by default.

For Features; What is the motivation and/or use-case for the feature?

[alexander-akait]

webpack-dev-server listens on all addresses

We change this behavior to match Node.js http/https behavior, we have allowedHosts to pervert security problems

It's unexpected and dangerous, for example right now security issues in webpack-dev-server deps are not counted as a real security issues because there is an expectation that it's accessible only by developer themself, but this is opt-out behavior now.

We produce Invalid Host header when you don't have your host in allowedHosts, so no security problems should happens

Feel free to feedback

[ojab]

We produce Invalid Host header when you don't have your host in allowedHosts, so no security problems should happens

yeah, but it's easily faked by adding Host: localhost header, so it's not a real defense

We change this behavior to match Node.js http/https behavior

webpack-dev-server is not a general-purpose web server, so IMHO user's expectations (not accessible via external addresses by default) should be taken into account.
It's especially dangerous because yarn upgrade webpack-dev-server just works, but after 3 -> 4 update it silently becomes exposed to the external network.

[alexander-akait]

Development on computer which has direct access from an external network in its very essence is not secure, you can simply forget to close access to something in firewall. Also, your operating system may have expolits that can be used. If you need security maybe you need to change the approach to development.

yeah, but it's easily faked by adding Host: localhost header, so it's not a real defense

We check origin too, not only host

[ojab]

Development on computer which has direct access from an external network in its very essence is not secure, you can simply forget to close access to something in firewall.

Yeah, because some development tools listens on external network by default for some reason 😏
Deliberate action from the user should be needed for this, exposing dev server even to LAN by default is not nice.

Also, your operating system may have expolits that can be used. If you need security maybe you need to change the approach to development.

Sure, but I trust my OS more than some random nodejs app, especially since in real life it's way easier to keep your own OS up2date than all the JS apps that you're working on.

We check origin too, not only host

As I wrote before, curl -H 'Host: localhost' ojab.ru:8080 returns an answer, so it's easily circumvented.

Overall I don't see how this change improves anything for the users, but I see how it could hurt them.

[alexander-akait]

Sure, but I trust my OS more than some random nodejs app, especially since in real life it's way easier to keep your own OS up2date than all the JS apps that you're working on.

Any application in your os (and there are quite a few of them even by default) may be security problem here.

At the moment, we have no plans to change this logic (because it was discussed and most of developers agreed to this change), but after stable release we will get more feedback and maybe revisit it.