From 5da5804f8443224a42e9e412618dafeed4bee944 Mon Sep 17 00:00:00 2001
From: Ted John <ted@brambles.org>
Date: Mon, 17 Aug 2020 14:26:19 +0100
Subject: [PATCH] Add localhost limitation

---
 src/openrct2/scripting/ScSocketServer.hpp | 32 ++++++++++++++++++++---
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/src/openrct2/scripting/ScSocketServer.hpp b/src/openrct2/scripting/ScSocketServer.hpp
index 1c540c3d13..8533fe562e 100644
--- a/src/openrct2/scripting/ScSocketServer.hpp
+++ b/src/openrct2/scripting/ScSocketServer.hpp
@@ -80,6 +80,12 @@ namespace OpenRCT2::Scripting
     private:
         std::shared_ptr<Plugin> _plugin;
 
+    protected:
+        static bool IsLocalhostAddress(const std::string_view& s)
+        {
+            return s == "localhost" || s == "127.0.0.1" || s == "::";
+        }
+
     public:
         ScSocketBase(const std::shared_ptr<Plugin>& plugin)
             : _plugin(plugin)
@@ -166,6 +172,10 @@ namespace OpenRCT2::Scripting
             {
                 duk_error(ctx, DUK_ERR_ERROR, "Socket is already connecting.");
             }
+            else if (!IsLocalhostAddress(host))
+            {
+                duk_error(ctx, DUK_ERR_ERROR, "For security reasons, only connecting to localhost is allowed.");
+            }
             else
             {
                 _socket = CreateTcpSocket();
@@ -354,11 +364,11 @@ namespace OpenRCT2::Scripting
             return this;
         }
 
-        ScSocketServer* listen(int32_t port, const DukValue& callback)
+        ScSocketServer* listen(int32_t port, const DukValue& dukHost)
         {
+            auto ctx = GetContext()->GetScriptEngine().GetContext();
             if (_disposed)
             {
-                auto ctx = GetContext()->GetScriptEngine().GetContext();
                 duk_error(ctx, DUK_ERR_ERROR, "Socket is disposed.");
             }
             else
@@ -370,12 +380,26 @@ namespace OpenRCT2::Scripting
 
                 if (_socket->GetStatus() == SOCKET_STATUS_LISTENING)
                 {
-                    auto ctx = GetContext()->GetScriptEngine().GetContext();
                     duk_error(ctx, DUK_ERR_ERROR, "Server is already listening.");
                 }
                 else
                 {
-                    _socket->Listen(port);
+                    if (dukHost.type() == DukValue::Type::STRING)
+                    {
+                        auto host = dukHost.as_string();
+                        if (IsLocalhostAddress(host))
+                        {
+                            _socket->Listen(host, port);
+                        }
+                        else
+                        {
+                            duk_error(ctx, DUK_ERR_ERROR, "For security reasons, only binding to localhost is allowed.");
+                        }
+                    }
+                    else
+                    {
+                        _socket->Listen("127.0.0.1", port);
+                    }
                 }
             }
             return this;