Skip to content

Commit

Permalink
[security] Fix DoS vulnerability
Browse files Browse the repository at this point in the history
Ignore extension and parameter names that are property names of
`Object.prototype` when parsing the `Sec-WebSocket-Extensions` header.
  • Loading branch information
lpinca committed Nov 8, 2017
1 parent f7cfc51 commit f8fdcd4
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 3 deletions.
17 changes: 14 additions & 3 deletions lib/Extensions.js
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,13 @@ function parse(value) {
value.split(',').forEach(function(v) {
var params = v.split(';');
var token = params.shift().trim();
var paramsList = extensions[token] = extensions[token] || [];

if (extensions[token] === undefined) {
extensions[token] = [];
} else if (!extensions.hasOwnProperty(token)) {
return;
}

var parsedParams = {};

params.forEach(function(param) {
Expand All @@ -38,10 +44,15 @@ function parse(value) {
value = value.slice(0, value.length - 1);
}
}
(parsedParams[key] = parsedParams[key] || []).push(value);

if (parsedParams[key] === undefined) {
parsedParams[key] = [value];
} else if (parsedParams.hasOwnProperty(key)) {
parsedParams[key].push(value);
}
});

paramsList.push(parsedParams);
extensions[token].push(parsedParams);
});

return extensions;
Expand Down
5 changes: 5 additions & 0 deletions test/Extensions.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ describe('Extensions', function() {
foo: [{ bar: ['hi'] }]
});
});

it('ignores names that match Object.prototype properties', function () {
Extensions.parse('hasOwnProperty, toString').should.eql({});
Extensions.parse('foo; constructor').should.eql({ foo: [{}] });
});
});

describe('format', function() {
Expand Down

0 comments on commit f8fdcd4

Please sign in to comment.