Closed rrlapointe closed 3 weeks ago
Please create a minimal reproducible test case using only ws
. As per https://github.com/websockets/ws/issues/1838#issuecomment-769323770, https://github.com/websockets/ws/issues/1838#issuecomment-769334901 and https://github.com/websockets/ws/issues/1838#issuecomment-769346802 it cannot happen unless ws
is incorrectly used.
If the server 'upgrade'
event is emitted without the Upgrade
header then the bug is in Node.js core.
Here is a test case to reproduce the issue using only Node.js core modules.
const http = require('http');
const server = http.createServer();
server.maxHeadersCount = 1;
server.on('upgrade', function (request) {
console.log(request.headers);
});
server.listen(function () {
const { port } = server.address();
const request = http.request({
headers: {
foo: 'foo',
bar: 'bar',
baz: 'baz',
qux: 'qux',
connection: 'Upgrade',
upgrade: 'protocol'
},
host: '127.0.0.1',
port
});
request.end();
});
The 'upgrade'
event is emitted even if server.maxHeadersCount
is set to 1
. It seems that setting the property does not abort the request. If it is the expected behavior, I wonder what is the purpose of setting that limit.
Is there an existing issue for this?
Description
I use this package for a websocket server. In the process of changing some options to try to make my websocket server slightly more resistant to DoS, I lowered the maxHeadersCount field on the HTTP server from its default of 2000 to a lower value. I then tested to see whether the server would reject requests with too many headers. Instead, the server crashed due to a
TypeError
from websocket-server.js line 246. This seems like a DoS issue.I found this similar issue: #1838
ws version
8.17.0
Node.js Version
v21.5.0
System
OS: Debian GNU/Linux 12 (bookworm) CPU: x64 Intel Core i5 CPU Memory: 2.62 GB / 6.58 GB Container: Yes Shell: /bin/bash
Expected result
I expected the websocket server to refuse the handshake. Maybe respond with a 400 Bad Request. I did not expect my server app to crash from a
TypeError
.Actual result
Attachments
No response