dns,net: reject hostnames with embedded NUL bytes

Refs: https://hackerone.com/reports/3656716
PR-URL: nodejs-private/node-private#868
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
CVE-ID: CVE-2026-48930

Author: mcollina

lib/dns.js

@@ -83,7 +83,7 @@ const {
   validateNumber,
   validateOneOf,
   validatePort,
-  validateString,
+  validateStringWithoutNullBytes,
 } = require('internal/validators');
 
 const {
@@ -147,7 +147,7 @@ function lookup(hostname, options, callback) {
 
   // Parse arguments
   if (hostname) {
-    validateString(hostname, 'hostname');
+    validateStringWithoutNullBytes(hostname, 'hostname');
   }
 
   if (typeof options === 'function') {

lib/internal/dns/promises.js

@@ -70,6 +70,7 @@ const {
   validateOneOf,
   validatePort,
   validateString,
+  validateStringWithoutNullBytes,
 } = require('internal/validators');
 
 const kPerfHooksDnsLookupContext = Symbol('kPerfHooksDnsLookupContext');
@@ -200,7 +201,7 @@ function lookup(hostname, options) {
 
   // Parse arguments
   if (hostname) {
-    validateString(hostname, 'hostname');
+    validateStringWithoutNullBytes(hostname, 'hostname');
   }
 
   if (typeof options === 'number') {

lib/internal/validators.js

@@ -16,6 +16,7 @@ const {
   ObjectPrototypeHasOwnProperty,
   RegExpPrototypeExec,
   String,
+  StringPrototypeIncludes,
   StringPrototypeToUpperCase,
   StringPrototypeTrim,
 } = primordials;
@@ -165,6 +166,14 @@ const validateString = hideStackFrames((value, name) => {
     throw new ERR_INVALID_ARG_TYPE(name, 'string', value);
 });
 
+/** @type {validateString} */
+const validateStringWithoutNullBytes = hideStackFrames((value, name) => {
+  validateString(value, name);
+  if (StringPrototypeIncludes(value, '\u0000')) {
+    throw new ERR_INVALID_ARG_VALUE(name, value, 'must be a string without null bytes');
+  }
+});
+
 /**
  * @callback validateNumber
  * @param {*} value
@@ -677,6 +686,7 @@ module.exports = {
   validatePort,
   validateSignalName,
   validateString,
+  validateStringWithoutNullBytes,
   validateUint32,
   validateUndefined,
   validateUnion,

lib/net.js

@@ -135,6 +135,7 @@ const {
   validateNumber,
   validatePort,
   validateString,
+  validateStringWithoutNullBytes,
 } = require('internal/validators');
 const kLastWriteQueueSize = Symbol('lastWriteQueueSize');
 const { getOptionValue } = require('internal/options');
@@ -1371,7 +1372,7 @@ function lookupAndConnect(self, options) {
   const host = options.host || 'localhost';
   let { port, autoSelectFamilyAttemptTimeout, autoSelectFamily } = options;
 
-  validateString(host, 'options.host');
+  validateStringWithoutNullBytes(host, 'options.host');
 
   if (localAddress && !isIP(localAddress)) {
     throw new ERR_INVALID_IP_ADDRESS(localAddress);

test/parallel/test-dns-lookup.js

@@ -23,6 +23,17 @@ const dnsPromises = dns.promises;
   assert.throws(() => dnsPromises.lookup(1, {}), err);
 }
 
+{
+  const err = {
+    code: 'ERR_INVALID_ARG_VALUE',
+    name: 'TypeError',
+    message: /The argument 'hostname' must be a string without null bytes\./,
+  };
+
+  assert.throws(() => dns.lookup('127.0.0.1\u0000.allowed.example', {}), err);
+  assert.throws(() => dnsPromises.lookup('127.0.0.1\u0000.allowed.example', {}), err);
+}
+
 // This also verifies different expectWarning notations.
 common.expectWarning({
   // For 'internal/test/binding' module.

test/parallel/test-net-connect-options-invalid.js

@@ -37,3 +37,16 @@ const net = require('net');
     name: 'TypeError',
   });
 }
+
+{
+  assert.throws(() => {
+    net.createConnection({
+      host: '127.0.0.1\u0000.allowed.example',
+      port: 8080,
+    });
+  }, {
+    code: 'ERR_INVALID_ARG_VALUE',
+    name: 'TypeError',
+    message: /The property 'options\.host' must be a string without null bytes\./,
+  });
+}