* @private * @param {{ [key: string]: string | undefined }} headers headers * @param {string} headerToCheck header to check * @param {boolean} validateHost need to validate host * @returns {boolean} true when host is valid, otherwise false
(headers, headerToCheck, validateHost = true)
| 3192 | * @returns {boolean} true when host is valid, otherwise false |
| 3193 | */ |
| 3194 | isValidHost(headers, headerToCheck, validateHost = true) { |
| 3195 | if (this.options.allowedHosts === "all") { |
| 3196 | return true; |
| 3197 | } |
| 3198 | |
| 3199 | // get the Host header and extract hostname |
| 3200 | // we don't care about port not matching |
| 3201 | const header = headers[headerToCheck]; |
| 3202 | |
| 3203 | if (!header) { |
| 3204 | return false; |
| 3205 | } |
| 3206 | |
| 3207 | if (DEFAULT_ALLOWED_PROTOCOLS.test(header)) { |
| 3208 | return true; |
| 3209 | } |
| 3210 | |
| 3211 | const hostname = this.#parseHostnameFromHeader(header); |
| 3212 | |
| 3213 | if (hostname === null) { |
| 3214 | return false; |
| 3215 | } |
| 3216 | |
| 3217 | if (this.isHostAllowed(hostname)) { |
| 3218 | return true; |
| 3219 | } |
| 3220 | |
| 3221 | // always allow requests with explicit IPv4 or IPv6-address. |
| 3222 | // A note on IPv6 addresses: |
| 3223 | // header will always contain the brackets denoting |
| 3224 | // an IPv6-address in URLs, |
| 3225 | // these aren't removed from the hostname in new URL(), |
| 3226 | // For convenience, always allow localhost (hostname === 'localhost') |
| 3227 | // and its subdomains (hostname.endsWith(".localhost")). |
| 3228 | // allow hostname of listening address (hostname === this.options.host) |
| 3229 | const isValidHostname = validateHost |
| 3230 | ? ipaddr.IPv4.isValid(hostname) || |
| 3231 | ipaddr.IPv6.isValid(hostname) || |
| 3232 | hostname === "localhost" || |
| 3233 | hostname.endsWith(".localhost") || |
| 3234 | hostname === this.options.host |
| 3235 | : false; |
| 3236 | |
| 3237 | return isValidHostname; |
| 3238 | } |
| 3239 | |
| 3240 | /** |
| 3241 | * @private |
no test coverage detected