From 76d47c1479002022a3e4357b3c9f0e23a68d4cd2 Mon Sep 17 00:00:00 2001
From: Luigi Pinca <luigipinca@gmail.com>
Date: Tue, 25 May 2021 11:00:58 +0200
Subject: [PATCH] [security] Fix ReDoS vulnerability

A specially crafted value of the `Sec-Websocket-Protocol` header could
be used to significantly slow down a ws server.

PoC and fix were sent privately by Robert McLaughlin from University of
California, Santa Barbara.
---
 lib/websocket-server.js | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/websocket-server.js b/lib/websocket-server.js
index 70513edf2..707bd0849 100644
--- a/lib/websocket-server.js
+++ b/lib/websocket-server.js
@@ -251,7 +251,7 @@ class WebSocketServer extends EventEmitter {
     var protocol = req.headers['sec-websocket-protocol'];
 
     if (protocol) {
-      protocol = protocol.trim().split(/ *, */);
+      protocol = protocol.split(',').map(trim);
 
       //
       // Optionally call external protocol selection handler.
@@ -355,3 +355,15 @@ function abortHandshake (socket, code, message, headers) {
   socket.removeListener('error', socketOnError);
   socket.destroy();
 }
+
+/**
+ * Remove whitespace characters from both ends of a string.
+ *
+ * @param {String} str The string
+ * @return {String} A new string representing `str` stripped of whitespace
+ *     characters from both its beginning and end
+ * @private
+ */
+function trim(str) {
+  return str.trim();
+}