godaddy
fix(deps): update dependency ws to v7.4.6 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| ws | 7.2.3 -> 7.4.6 |
GitHub Vulnerability Alerts
CVE-2021-32640
Impact
A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.
Proof of concept
for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
const value = 'b' + ' '.repeat(length) + 'x';
const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}
Patches
The vulnerability was fixed in [email protected] (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to [email protected] (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and [email protected] (https://github.com/websockets/ws/commit/76d47c1479002022a3e4357b3c9f0e23a68d4cd2).
Workarounds
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.
Credits
The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.
Release Notes
websockets/ws
v7.4.6
Bug fixes
- Fixed a ReDoS vulnerability (
00c425e).
A specially crafted value of the Sec-Websocket-Protocol header could be used
to significantly slow down a ws server.
for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
const value = 'b' + ' '.repeat(length) + 'x';
const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}
The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.
In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
allowed length of the request headers using the --max-http-header-size=size
and/or the maxHeaderSize options.
v7.4.5
Bug fixes
- UTF-8 validation is now done even if
utf-8-validateis not installed (23ba6b2). - Fixed an edge case where
websocket.close()andwebsocket.terminate()did not close the connection (67e25ff).
v7.4.4
Bug fixes
- Fixed a bug that could cause the process to crash when using the
permessage-deflate extension (
9277437).
v7.4.3
Bug fixes
- The deflate/inflate stream is now reset instead of reinitialized when context takeover is disabled (#1840).
v7.4.2
Bug fixes
- Silenced a deprecation warning (
a2c0d44).
v7.4.1
Bug fixes
- Added a workaround for a double
'error'event bug in Node.js < 13 which caused an uncaught error during the WebSocket handshake (38d6ab3).
v7.4.0
Features
- The callback of
WebSocketServer.prototype.handleUpgrade()now takes the client HTTP GET request as second argument (7d39f19).
Bug fixes
- Read-only properties are now read-only (
eabed8f). - The
CONNECTING,OPEN,CLOSING,CLOSED,binaryType,bufferedAmount,extensions,onclose,onerror,onmessage,onopen,protocol,readyState, andurlproperties are now enumerable (2069e68).
v7.3.1
Bug fixes
v7.3.0
Features
WebSocket.prototype.addEventListener()now supports theonceoption (#1754).
v7.2.5
Bug fixes
- Fixed compatibility with Node.js master (
651d662).
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}