node-http-proxy icon indicating copy to clipboard operation
node-http-proxy copied to clipboard

Published 20 hours ago β€’ verified publisher icon http-party

[dist] Update dependency socket.io to v2.5.1 [SECURITY]

Open renovate[bot] opened this issue 4 years ago β€’ 1 comments
trafficstars

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
socket.io (source) 2.2.0 -> 2.5.1 age adoption passing confidence
socket.io (source) ~0.9.16 -> ~2.5.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-28481

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

CVE-2024-38355

Impact

A specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.

node:events:502
    throw err; // Unhandled 'error' event
    ^

Error [ERR_UNHANDLED_ERROR]: Unhandled error. (undefined)
    at new NodeError (node:internal/errors:405:5)
    at Socket.emit (node:events:500:17)
    at /myapp/node_modules/socket.io/lib/socket.js:531:14
    at process.processTicksAndRejections (node:internal/process/task_queues:77:11) {
  code: 'ERR_UNHANDLED_ERROR',
  context: undefined
}

Affected versions

Version range Needs minor update?
4.6.2...latest Nothing to do
3.0.0...4.6.1 Please upgrade to [email protected] (at least)
2.3.0...2.5.0 Please upgrade to [email protected]

Patches

This issue is fixed by https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115, included in [email protected] (released in May 2023).

The fix was backported in the 2.x branch today: https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Workarounds

As a workaround for the affected versions of the socket.io package, you can attach a listener for the "error" event:

io.on("connection", (socket) => {
  socket.on("error", () => {
    // ...
  });
});

For more information

If you have any questions or comments about this advisory:

  • Open a discussion here

Thanks a lot to Paul Taylor for the responsible disclosure.

References

  • https://github.com/socketio/socket.io/commit/15af22fc22bc6030fcead322c106f07640336115
  • https://github.com/socketio/socket.io/commit/d30630ba10562bf987f4d2b42440fc41a828119c

Release Notes

socketio/socket.io (socket.io)

v2.5.1

Compare Source

Bug Fixes
  • add a noop handler for the error event (d30630b)
Links:
  • Diff: https://github.com/socketio/socket.io/compare/2.5.0...2.5.1
  • Client release: -
  • engine.io version: ~3.6.0 (no change)
  • ws version: ~7.5.10

v2.5.0

Compare Source

:warning: WARNING :warning:

The default value of the maxHttpBufferSize option has been decreased from 100 MB to 1 MB, in order to prevent attacks by denial of service.

Security advisory: https://github.com/advisories/GHSA-j4f2-536g-r55m

Bug Fixes
  • fix race condition in dynamic namespaces (05e1278)
  • ignore packet received after disconnection (22d4bdf)
  • only set 'connected' to true after middleware execution (226cc16)
  • prevent the socket from joining a room after disconnection (f223178)
Links:
  • Diff: https://github.com/socketio/socket.io/compare/2.4.1...2.5.0
  • Client release: 2.5.0
  • engine.io version: ~3.6.0 (diff)
  • ws version: ~7.4.2

v2.4.1

Compare Source

This release reverts the breaking change introduced in 2.4.0 (https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7).

If you are using Socket.IO v2, you should explicitly allow/disallow cross-origin requests:

  • without CORS (server and client are served from the same domain):
const io = require("socket.io")(httpServer, {
  allowRequest: (req, callback) => {
    callback(null, req.headers.origin === undefined); // cross-origin requests will not be allowed
  }
});
  • with CORS (server and client are served from distinct domains):
io.origins(["http://localhost:3000"]); // for local development
io.origins(["https://example.com"]);

In any case, please consider upgrading to Socket.IO v3, where this security issue is now fixed (CORS is disabled by default).

Reverts
  • fix(security): do not allow all origins by default (a169050)
Links:
  • Diff: https://github.com/socketio/socket.io/compare/2.4.0...2.4.1
  • Client release: -
  • engine.io version: ~3.5.0
  • ws version: ~7.4.2

v2.4.0

Compare Source

Related blog post: https://socket.io/blog/socket-io-2-4-0/

Features (from Engine.IO)
  • add support for all cookie options (19cc582)
  • disable perMessageDeflate by default (5ad2736)
Bug Fixes
  • security: do not allow all origins by default (f78a575)
  • properly overwrite the query sent in the handshake (d33a619)

:warning: BREAKING CHANGE :warning:

Previously, CORS was enabled by default, which meant that a Socket.IO server sent the necessary CORS headers (Access-Control-Allow-xxx) to any domain. This will not be the case anymore, and you now have to explicitly enable it.

Please note that you are not impacted if:

  • you are using Socket.IO v2 and the origins option to restrict the list of allowed domains
  • you are using Socket.IO v3 (disabled by default)

This commit also removes the support for '*' matchers and protocol-less URL:

io.origins('https://example.com:443'); => io.origins(['https://example.com']);
io.origins('localhost:3000');          => io.origins(['http://localhost:3000']);
io.origins('http://localhost:*');      => io.origins(['http://localhost:3000']);
io.origins('*:3000');                  => io.origins(['http://localhost:3000']);

To restore the previous behavior (please use with caution):

io.origins((_, callback) => {
  callback(null, true);
});

See also:

  • https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
  • https://socket.io/docs/v3/handling-cors/
  • https://socket.io/docs/v3/migrating-from-2-x-to-3-0/#CORS-handling

Thanks a lot to @​ni8walk3r for the security report.

Links:
  • Milestone: 2.4.0
  • Diff: https://github.com/socketio/socket.io/compare/2.3.0...2.4.0
  • Client release: 2.4.0
  • engine.io version: ~3.5.0
  • ws version: ~7.4.2

v2.3.0

Compare Source

This release mainly contains a bump of the engine.io and ws packages, but no additional features.

Links:
  • Milestone: 2.3.0
  • Diff: https://github.com/socketio/socket.io/compare/2.2.0...2.3.0
  • Client release: 2.3.0
  • engine.io version: ~3.4.0 (diff: https://github.com/socketio/engine.io/compare/3.3.1...3.4.2)
  • ws version: ^7.1.2 (diff: https://github.com/websockets/ws/compare/6.1.2...7.3.1)

Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about these updates again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Jan 23 '21 08:01 renovate[bot]

Codecov Report

Merging #1501 (246460b) into master (9b96cd7) will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #1501   +/-   ##
=======================================
  Coverage   92.38%   92.38%           
=======================================
  Files           6        6           
  Lines         315      315           
=======================================
  Hits          291      291           
  Misses         24       24

Continue to review full report at Codecov.

Legend - Click here to learn more Ξ” = absolute <relative> (impact), ΓΈ = not affected, ? = missing data Powered by Codecov. Last update 9b96cd7...246460b. Read the comment docs.

codecov-io avatar Jan 23 '21 09:01 codecov-io