Add support for `Blob` #2229

lpinca · 2024-06-11T20:34:10Z

lpinca · 2024-06-13T18:10:04Z

@kettanaito I'm still not very happy with this because, other than compatibility with the WHAWG spec, it is pretty much useless. Anyway, here it is. I also didn't run any benchmarks to see the impact on performance.

kettanaito · 2024-06-14T19:59:07Z

lib/websocket.js

@@ -1030,6 +1031,11 @@ function initAsClient(websocket, address, protocols, options) {
 */
 function emitErrorAndClose(websocket, err) {
  websocket._readyState = WebSocket.CLOSING;
+  //
+  // The following assignment is practically useless and is done only for


Which summarizes the entire change pretty flawlessly. I am still grateful for this consistency! Thank you!

Closes #2206

titanism · 2024-07-04T02:45:18Z

Hi there @lpinca, I can't confirm exactly what's wrong here, but I did a minor version bump and this entirely broke our implementation of ws. It's sending everything over the wire as a BLOB now instead of as a Buffer it seems. Seems to be a major breaking change (e.g. we are using msgpackr under the hood to pack/unpack messages sent via websockets, and now they are throwing an error Source must be a Uint8Array or Buffer but was a Blob).

lpinca · 2024-07-04T05:37:03Z

@titanism are you are setting websocket.binaryType to 'blob'? Let's continue the discussion in #2239.

nikwen

Was just looking at the commit to make sure that upgrading ws won't break my app. Looks great overall. Just had a small suggestion. :)

nikwen · 2024-08-15T12:54:21Z

lib/websocket.js

+    websocket._errorEmitted = true;
+    websocket.emit('error', err);


This seems worthwhile to pull out into a small function:

function emitError(err) { websocket._errorEmitted = true; websocket.emit('error', err); }

Seems like these lines should always be called together. Pulling them out into a function will make it less likely that someone will forget to do so in the future.

![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123) <h3>Snyk has created this PR to upgrade ws from 8.17.1 to 8.18.0.</h3> :information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project. <hr/> - The recommended version is **1 version** ahead of your current version. - The recommended version was released on **a month ago**. <details> <summary>Release notes</summary> <details> <summary>Package name: ws</summary> <ul> <li> 8.18.0 - <a href="https://github.com/websockets/ws/releases/tag/8.18.0">2024-07-03</a><h1>Features</h1> <ul> <li>Added support for <code>Blob</code> (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2347258138" data-permission-text="Title is private" data-url="websockets/ws#2229" data-hovercard-type="pull_request" data-hovercard-url="/websockets/ws/pull/2229/hovercard" href="https://github.com/websockets/ws/pull/2229">#2229</a>).</li> </ul> </li> <li> 8.17.1 - <a href="https://github.com/websockets/ws/releases/tag/8.17.1">2024-06-16</a><h1>Bug fixes</h1> <ul> <li>Fixed a DoS vulnerability (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2355202628" data-permission-text="Title is private" data-url="websockets/ws#2231" data-hovercard-type="pull_request" data-hovercard-url="/websockets/ws/pull/2231/hovercard" href="https://github.com/websockets/ws/pull/2231">#2231</a>).</li> </ul> A request with a number of headers exceeding the<a href="https://nodejs.org/api/http.html#servermaxheaderscount" rel="nofollow"><code>server.maxHeadersCount</code></a> threshold could be used to crash a ws server. <div class="highlight highlight-source-js notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); });"><pre>const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); });</pre></div> The vulnerability was reported by <a href="https://github.com/rrlapointe">Ryan LaPointe</a> in <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="2354846108" data-permission-text="Title is private" data-url="websockets/ws#2230" data-hovercard-type="issue" data-hovercard-url="/websockets/ws/issues/2230/hovercard" href="https://github.com/websockets/ws/issues/2230">#2230</a>. In vulnerable versions of ws, the issue can be mitigated in the following ways: <ol> <li>Reduce the maximum allowed length of the request headers using the <a href="https://nodejs.org/api/cli.html#--max-http-header-sizesize" rel="nofollow"><code>--max-http-header-size=size</code></a> and/or the <a href="https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener" rel="nofollow"><code>maxHeaderSize</code></a> options so that no more headers than the <code>server.maxHeadersCount</code> limit can be sent.</li> <li>Set <code>server.maxHeadersCount</code> to <code>0</code> so that no limit is applied.</li> </ol> </li> </ul> from <a href="https://github.com/websockets/ws/releases">ws GitHub release notes</a> </details> </details> --- > [!IMPORTANT] > > - Check the changes in this PR to ensure they won't cause issues with your project. > - This PR was automatically created by Snyk using the credentials of a real user. --- **Note:** _You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs._ **For more information:** <img src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI5OWYyNjVlZi00ZjIwLTQ2MTItOWI4NS05OGZhMTU1Y2IwN2IiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6Ijk5ZjI2NWVmLTRmMjAtNDYxMi05Yjg1LTk4ZmExNTVjYjA3YiJ9fQ==" width="0" height="0"/> > - 🧐 [View latest project report](https://app.snyk.io/org/okeamah/project/79f5fe07-5650-42a8-a92c-0ae46036ffc8?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 📜 [Customise PR templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates) > - 🛠 [Adjust upgrade PR settings](https://app.snyk.io/org/okeamah/project/79f5fe07-5650-42a8-a92c-0ae46036ffc8/settings/integration?utm_source=github&utm_medium=referral&page=upgrade-pr) > - 🔕 [Ignore this dependency or unsubscribe from future upgrade PRs](https://app.snyk.io/org/okeamah/project/79f5fe07-5650-42a8-a92c-0ae46036ffc8/settings/integration?pkg=ws&utm_source=github&utm_medium=referral&page=upgrade-pr#auto-dep-upgrades)

lpinca force-pushed the support/blob branch 7 times, most recently from 223c6fc to a83321b Compare June 13, 2024 17:53

lpinca force-pushed the support/blob branch from a83321b to 1b956f4 Compare June 13, 2024 20:05

kettanaito reviewed Jun 14, 2024

View reviewed changes

kettanaito approved these changes Jun 14, 2024

View reviewed changes

dharishbabu007 approved these changes Jun 21, 2024

View reviewed changes

[feature] Add support for Blob

5b44ba1

Closes #2206

lpinca force-pushed the support/blob branch from 1b956f4 to 5b44ba1 Compare July 1, 2024 20:29

lpinca merged commit 59b9629 into master Jul 2, 2024
101 checks passed

lpinca deleted the support/blob branch July 2, 2024 15:50

titanism mentioned this pull request Jul 4, 2024

Bug: v8.18.0 released major breaking change (not minor) and data sent as Blob (not Buffer) #2239

Closed

1 task

5twelve approved these changes Jul 21, 2024

View reviewed changes

This was referenced Jul 24, 2024

[Snyk] Upgrade ws from 8.2.3 to 8.18.0 X-oss-byte/ganache#641

Open

[Snyk] Upgrade ws from 8.13.0 to 8.18.0 X-oss-byte/webpack-dev-server#91

Open

[Snyk] Upgrade ws from 8.13.0 to 8.18.0 X-oss-byte/ccxt#48

Open

Exkaleburx mentioned this pull request Jul 24, 2024

[Snyk] Upgrade ws from 8.16.0 to 8.18.0 Exkaleburx/ccxt#36

Open

FaroukAmr mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 8.11.0 to 8.18.0 FaroukAmr/Web-Application#1071

Open

taeb3 mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 7.5.10 to 8.18.0 taeb3/gitlabs#140

Open

RosaleeKnight mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 RosaleeKnight/flappy-bird-clone#111

Merged

heyvaldemar mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 heyvaldemar/quake3-server-docker-compose#18

Merged

j-mendez mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 8.13.0 to 8.18.0 a11ywatch/core#425

Open

epacke mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 epacke/logstash-pipeline-tester#223

Merged

rater193 mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 8.2.3 to 8.18.0 Homestead-Game-Development/Voxels-Edge-Server#28

Open

KDONJS mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 KDONJS/biblioteca-api#4

Merged

This was referenced Jul 25, 2024

[Snyk] Upgrade ws from 8.14.2 to 8.18.0 LateAlways/KlientKonnectServer#1

Merged

[Snyk] Upgrade ws from 8.16.0 to 8.18.0 LateAlways/KlientKonnectClient#2

Merged

Alex-Werner mentioned this pull request Jul 25, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 Alex-Werner/bifrost-wss#5

Open

This was referenced Jul 26, 2024

[Snyk] Upgrade ws from 7.2.3 to 8.18.0 WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#377

Open

[Snyk] Upgrade ws from 7.2.3 to 8.18.0 WontonSam/cachimanexpress.js-Design-Patterns-Third-Edition#386

Open

OKEAMAH mentioned this pull request Aug 1, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 OKEAMAH/ethers.js#8

Merged

kisuka mentioned this pull request Aug 4, 2024

[Snyk] Upgrade ws from 8.13.0 to 8.18.0 kisuka/YiffSpot#113

Open

This was referenced Aug 7, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 INexizI/KR-DB#380

Merged

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 INexizI/KR-DB#382

Merged

neznaamey mentioned this pull request Aug 12, 2024

[Snyk] Upgrade ws from 8.13.0 to 8.18.0 neznaamey/DiscordBotClient#24

Open

nikwen reviewed Aug 15, 2024

View reviewed changes

tim2zg mentioned this pull request Aug 16, 2024

[Snyk] Upgrade ws from 8.16.0 to 8.18.0 tim2zg/ioBroker.fronius-wattpilot#58

Merged

OKEAMAH mentioned this pull request Aug 18, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 https-github-com-okeamah/ethers.js#7

Open

This was referenced Aug 21, 2024

[Snyk] Upgrade ws from 8.13.0 to 8.18.0 ramzimalhas/SillyTavern#4

Open

[Snyk] Upgrade ws from 8.8.1 to 8.18.0 ramzimalhas/BrowserBox#2

Open

qdraw mentioned this pull request Aug 25, 2024

[Snyk] Upgrade ws from 8.17.1 to 8.18.0 qdraw/starsky#1666

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for `Blob` #2229

Add support for `Blob` #2229

lpinca commented Jun 11, 2024

lpinca commented Jun 13, 2024

kettanaito Jun 14, 2024

titanism commented Jul 4, 2024

lpinca commented Jul 4, 2024 •

edited

Loading

nikwen left a comment

nikwen Aug 15, 2024

		websocket._errorEmitted = true;
		websocket.emit('error', err);

Add support for Blob #2229

Add support for Blob #2229

Conversation

lpinca commented Jun 11, 2024

lpinca commented Jun 13, 2024

kettanaito Jun 14, 2024

Choose a reason for hiding this comment

titanism commented Jul 4, 2024

lpinca commented Jul 4, 2024 • edited Loading

nikwen left a comment

Choose a reason for hiding this comment

nikwen Aug 15, 2024

Choose a reason for hiding this comment

Add support for `Blob` #2229

Add support for `Blob` #2229

lpinca commented Jul 4, 2024 •

edited

Loading