Skip to content

Improve WebSocket handshake validation#5327

Merged
sdogruyol merged 5 commits intocrystal-lang:masterfrom
straight-shoota:jm-fix-websocket-key
Apr 27, 2018
Merged

Improve WebSocket handshake validation#5327
sdogruyol merged 5 commits intocrystal-lang:masterfrom
straight-shoota:jm-fix-websocket-key

Conversation

@straight-shoota
Copy link
Copy Markdown
Member

@straight-shoota straight-shoota commented Nov 27, 2017

This PR adds the following changes in accordance with RCF 6455]

  • WebSocketHandler verifies that Sec-WebSocket-Key is present (previously this unchecked fetch resulted in a KeyError) and fails with 400 Bad Request if not
  • WebSocketHandler verifies that Sec-WebSocket-Version is present and equals 13 and fails with 426 Upgrade Required if not
  • WebSocket::Protocol verifies that Sec-WebSocket-Accept is present and contains the correct challenge response

luislavena
luislavena reviewed Nov 28, 2017
View reviewed changes
src/http/web_socket/protocol.cr
raise ArgumentError.new("No host or path specified which are required.")
end

def self.key_challenge(key)
Copy link
Copy Markdown
Contributor

@luislavena luislavena Nov 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assume this is public because is used above (Protocol.key_challenge). In that case, perhaps will be better add a :nodoc: marker to avoid this showing up in the documentation?

Thank you.

Copy link
Copy Markdown
Member Author

@straight-shoota straight-shoota Nov 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this needs to be accessible from WebSocketHandler.
The entire Protocol class is just internal implementation and not documented.

Copy link
Copy Markdown
Contributor

@luislavena luislavena Nov 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, missed that from the PR diff, thank you for your response!

@straight-shoota
Copy link
Copy Markdown
Member Author

straight-shoota commented Dec 13, 2017

Could this get a review from @ysbaddaden?

asterite
asterite requested changes Jan 2, 2018
View reviewed changes
src/http/server/handlers/websocket_handler.cr Outdated
response = context.response

version = context.request.headers["Sec-WebSocket-Version"]?
unless version == WebSocket::Protocol::VERSION.to_s
Copy link
Copy Markdown
Member

@asterite asterite Jan 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's have WebSocket::Protocol::VERSION_STRING too, or something like that. I'd like to avoid a to_s call for each socket upgrade.

Copy link
Copy Markdown
Member Author

@straight-shoota straight-shoota Jan 2, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch 👍 It's only used as a string anyway, so I'll just change the datatype of the constant.

@straight-shoota
Copy link
Copy Markdown
Member Author

straight-shoota commented Apr 26, 2018

@asterite Care to give this a ✔️ ?

@sdogruyol sdogruyol merged commit d3be42e into crystal-lang:master Apr 27, 2018
@sdogruyol sdogruyol added this to the Next milestone Apr 27, 2018
@straight-shoota straight-shoota deleted the jm-fix-websocket-key branch April 27, 2018 09:06
@Sija
Copy link
Copy Markdown
Contributor

Sija commented Apr 27, 2018

It seems that this PR wasn't rebased onto master after merging #5776, causing CI to fail (see #6007 (comment) -> https://travis-ci.org/crystal-lang/crystal/jobs/372022339#L520-L527). Needs hotfix.

@bcardiff
Copy link
Copy Markdown
Member

bcardiff commented Apr 27, 2018

I think the commit should be rollbacked and reopen the PR. I just reach the issue while branching master.

sdogruyol added a commit that referenced this pull request Apr 27, 2018
@sdogruyol
Revert "Improve WebSocket handshake validation (#5327)"
525397a 
This reverts commit d3be42e.
@sdogruyol sdogruyol mentioned this pull request Apr 27, 2018
Merged
sdogruyol added a commit that referenced this pull request Apr 27, 2018
@sdogruyol
Revert "Improve WebSocket handshake validation (#5327)" (#6020)
d8e765e 
This reverts commit d3be42e.
@sdogruyol
Copy link
Copy Markdown
Member

sdogruyol commented Apr 27, 2018

Reverted the PR, master is ✔️ @straight-shoota can you reopen the PR?

@straight-shoota straight-shoota restored the jm-fix-websocket-key branch April 28, 2018 12:15
@straight-shoota straight-shoota mentioned this pull request Apr 28, 2018
Merged
@straight-shoota
Copy link
Copy Markdown
Member Author

straight-shoota commented Apr 28, 2018

I don't think you can reopen a merged PR. That'd be awkward.

It's #6027 now.

chris-huxtable pushed a commit to chris-huxtable/crystal that referenced this pull request Jun 6, 2018
@straight-shoota @chris-huxtable
Improve WebSocket handshake validation (crystal-lang#5327)
7504580
chris-huxtable pushed a commit to chris-huxtable/crystal that referenced this pull request Jun 6, 2018
@sdogruyol @chris-huxtable
Revert "Improve WebSocket handshake validation (crystal-lang#5327)" (c…
aebe264 
…rystal-lang#6020)

This reverts commit d3be42e.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asterite asterite asterite requested changes

@sdogruyol sdogruyol sdogruyol approved these changes

@RX14 RX14 RX14 approved these changes

+1 more reviewer

@luislavena luislavena luislavena left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

kind:refactor topic:stdlib

Projects

None yet

Milestone

0.25.0

Development

Successfully merging this pull request may close these issues.

7 participants

@straight-shoota @Sija @bcardiff @sdogruyol @luislavena @asterite @RX14