From e1a0ce5af94cdb77e689916e730a655ea0ec823c Mon Sep 17 00:00:00 2001
From: Houkime <qahmnatorA_Tprotonmail.com>
Date: Thu, 2 Jan 2020 14:02:29 +0000
Subject: Prevent GDScript language server from listening to external hosts by
 default

* Add bind_ip property to WebSocketServer defaulting to "*" (listen to everyone)
* Set default for GDscript Language Server to listen only to localhost

Fixes potential security issue with GDScript language server being exposed to the
broad net by default.
Since it is the server which primary usage is to provide utility to the local
editor there is no need to expose it.
---
 modules/websocket/websocket_server.cpp | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'modules/websocket/websocket_server.cpp')

diff --git a/modules/websocket/websocket_server.cpp b/modules/websocket/websocket_server.cpp
index ded1850846..76e88d72b9 100644
--- a/modules/websocket/websocket_server.cpp
+++ b/modules/websocket/websocket_server.cpp
@@ -34,6 +34,7 @@ GDCINULL(WebSocketServer);
 
 WebSocketServer::WebSocketServer() {
 	_peer_id = 1;
+	bind_ip = IP_Address("*");
 }
 
 WebSocketServer::~WebSocketServer() {
@@ -49,6 +50,10 @@ void WebSocketServer::_bind_methods() {
 	ClassDB::bind_method(D_METHOD("get_peer_port", "id"), &WebSocketServer::get_peer_port);
 	ClassDB::bind_method(D_METHOD("disconnect_peer", "id", "code", "reason"), &WebSocketServer::disconnect_peer, DEFVAL(1000), DEFVAL(""));
 
+	ClassDB::bind_method(D_METHOD("get_bind_ip"), &WebSocketServer::get_bind_ip);
+	ClassDB::bind_method(D_METHOD("set_bind_ip"), &WebSocketServer::set_bind_ip);
+	ADD_PROPERTY(PropertyInfo(Variant::STRING, "bind_ip"), "set_bind_ip", "get_bind_ip");
+
 	ClassDB::bind_method(D_METHOD("get_private_key"), &WebSocketServer::get_private_key);
 	ClassDB::bind_method(D_METHOD("set_private_key"), &WebSocketServer::set_private_key);
 	ADD_PROPERTY(PropertyInfo(Variant::OBJECT, "private_key", PROPERTY_HINT_RESOURCE_TYPE, "CryptoKey", 0), "set_private_key", "get_private_key");
@@ -67,6 +72,16 @@ void WebSocketServer::_bind_methods() {
 	ADD_SIGNAL(MethodInfo("data_received", PropertyInfo(Variant::INT, "id")));
 }
 
+IP_Address WebSocketServer::get_bind_ip() const {
+	return bind_ip;
+}
+
+void WebSocketServer::set_bind_ip(const IP_Address &p_bind_ip) {
+	ERR_FAIL_COND(is_listening());
+	ERR_FAIL_COND(!p_bind_ip.is_valid() && !p_bind_ip.is_wildcard());
+	bind_ip = p_bind_ip;
+}
+
 Ref<CryptoKey> WebSocketServer::get_private_key() const {
 	return private_key;
 }
-- 
cgit v1.2.3