When you send up an invalid message that isn't binary (in this example I sent up a string like looks like this "...`") it throws an exception that is un-catchable by anyone using this library
Create a server using y-websocket
Connect to the server using a tool like postman
Send up the message "..`" as a string
Bug: The server will crash with the following error:
Error: Integer out of range!
at Object.readVarUint (/projects/yjs-project/node_modules/lib0/decoding.js:247:13)
at messageListener (/projects/yjs-project/node_modules/y-websocket/bin/utils.js:167:32)
at WebSocket.<anonymous> (/projects/yjs-project/node_modules/y-websocket/bin/utils.js:236:69)
at WebSocket.emit (events.js:375:28)
at WebSocket.emit (domain.js:470:12)
at Receiver.receiverOnMessage (/projects/yjs-project/node_modules/ws/lib/websocket.js:835:20)
at Receiver.emit (events.js:375:28)
at Receiver.emit (domain.js:470:12)
at Receiver.dataMessage (/projects/yjs-project/node_modules/ws/lib/receiver.js:437:14)
at Receiver.getData (/projects/yjs-project/node_modules/ws/lib/receiver.js:367:17)
at Receiver.startLoop (/projects/yjs-project/node_modules/ws/lib/receiver.js:143:22)
at Receiver._write (/projects/yjs-project/node_modules/ws/lib/receiver.js:78:10)
at writeOrBuffer (internal/streams/writable.js:358:12)
at Receiver.Writable.write (internal/streams/writable.js:303:10)
at Socket.socketOnData (/projects/yjs-project/node_modules/ws/lib/websocket.js:910:35)
at Socket.emit (events.js:375:28)
This makes sense, the packet was not valid for y-websocket so it makes sense to throw. However the problem is that currently there is no way to catch this in a try catch block or prevent this from crashing the server because the error happens inside conn.on('message'). This means that it's very easy to DDoS y-websocket servers, by sending messages like the above and bringing them down. I got around this issue by forking y-websocket and adding a try catch in the utils.js messageListener function.
Ideally it would be great to catch this error and emit it somewhere were the end user can respond to it (conn.on('error') or doc.on('error)?)
Environment Information
yjs@^13.4.12
y-websocket v1.3.16
node v14
Note: I am using the utils directly, and am not using the src/y-websocket.js code in my project, but I assume this error will happen there too
When you send up an invalid message that isn't binary (in this example I sent up a string like looks like this "...`") it throws an exception that is un-catchable by anyone using this library
This makes sense, the packet was not valid for y-websocket so it makes sense to throw. However the problem is that currently there is no way to catch this in a try catch block or prevent this from crashing the server because the error happens inside conn.on('message'). This means that it's very easy to DDoS y-websocket servers, by sending messages like the above and bringing them down. I got around this issue by forking y-websocket and adding a try catch in the utils.js messageListener function.
Ideally it would be great to catch this error and emit it somewhere were the end user can respond to it (conn.on('error') or doc.on('error)?)
Environment Information
Note: I am using the utils directly, and am not using the src/y-websocket.js code in my project, but I assume this error will happen there too