[Security] Mitigate DNS rebinding flaw

[feross]

Fix: brave/brave-browser#5460

Submitter Checklist:

• Submitted a ticket for my issue if one did not already exist.
• Used Github auto-closing keywords in the commit message.
• Added/updated tests for this change (for new code or code which already has tests).
• Verified that these changes build without errors on
  • Android
  • iOS
  • Linux
  • macOS
  • Windows
• Verified that these changes pass automated tests (unit, browser, security tests) on
  • iOS
  • Linux
  • macOS
  • Windows
• Verified that all lint errors/warnings are resolved (npm run lint)
• Ran git rebase master (if needed).
• Ran git rebase -i to squash commits (if needed).
• Tagged reviewers and labelled the pull request as needed.
• Request a security/privacy review as needed.
• Add appropriate QA labels (QA/Yes or QA/No) to include the closed issue in milestone
• Public documentation has been updated as necessary. For instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protection-Mode
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Custom-Headers
  • https://github.com/brave/brave-browser/wiki/Web-compatibility-issues-with-tracking-protection
  • https://github.com/brave/brave-browser/wiki/QA-Guide

Test Plan:

1. Go to https://webtorrent.io/free-torrents
2. Select Sintel (magnet link)
3. Start the download
4. Hover your mouse over the download link (the downward-facing arrow) and observe the link's port number. It should be something like e.g. 58630.
5. Run the following command in Terminal (tested on Mac): cat <(echo -en 'GET / HTTP/1.1\r\nHost: attacker.com\r\n\r\n') - | nc localhost 58630. Note: be sure to replace 58630 in the command with the actual port number you observed in Step 4.
6. The command should hang without outputting anything to Terminal at all. If you see an HTTP response or HTML, then this is broken. Nothing should be output from the command.

Reviewer Checklist:

• New files have MPL-2.0 license header.
• Request a security/privacy review as needed.
• Adequate test coverage exists to prevent regressions
• Verify test plan is specified in PR before merging to source

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on.
• All relevant documentation has been updated.

[feross]

The commit that we're pinning to now is here: brave/webtorrent@423f1fa

[feross]

Forgot to update package-lock.json so this will need review again.

[feross]

I'm getting a travis failure that I'm not sure is my fault. Any ideas?

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
npm ERR! audit The server said: Invalid package tree, run  npm install  to rebuild your package-lock.json

[yrliou]

I'm getting a travis failure that I'm not sure is my fault. Any ideas?

npm ERR! code ENOAUDIT
npm ERR! audit Your configured registry (https://registry.npmjs.org/) may not support audit requests, or the audit endpoint may be temporarily unavailable.
npm ERR! audit The server said: Invalid package tree, run  npm install  to rebuild your package-lock.json

As I shared through DM, this might be fixed if you remove node_modules and reinstall.

[feross]

Yep, thanks. That was the fix. Looks like npm gets confused by the fact that we're pinning to the forks of torrent-discovery and bittorrent-tracker while the webtorrent package also depends on its own versions of these, and so it messes up the package-lock.json depending on when install is run. :/

This annoyance should hopefully be fixed by: brave/brave-browser#856