Issues and security implications with subscriptions-transport-ws

[enisdenjo]

apollographql/subscriptions-transport-ws

The following issue collection is only up until December 2018

🚨 Possible security implications

• SubscriptionClient.onError returning event { isTrusted: false } #744
  • It appears that instead of emitting an error, the onError method and .on('error', ...) emit an internal Event representation.
• Bypassing the onConnect server handler #349
  • Per the docs, the onConnect server handler can be used as a form of gatekeeping if you use it to throw or returns false. This can be bypassed by simply not sending the INIT message, which means the initPromise will simply be true. Then, the client can send a GQL_START message, even if the onConnect was designed to block it.
    • Further considerations:
      • You cannot set your own headers on the client side
      • Potential use URL to authenticate. BEWARE: URLs can be logged and captured even through TLS/SSL
  • Related:
    • Fix for start messages being sent before connection ack #767

🛠 Issues

• GQL_STOP sent after "complete" from server #711
  • The GQL_STOP message is being sent from the client, after receiving the GQL_COMPLETE message back from the server.
• Prevent messages from being sent when the client is closing. #760
  • While the client closing, the GQL_STOP can still be sent - causing the client to break.
• Client does not wait for connection_ack on reconnection #339
  • When the client reconnects after a disconnect, it appears to flush the unsent message queue before receiving GQL_CONNECTION_ACK from the server.
• GQL_CONNECTION_ERROR should send error name and data #409
  • Vague errors from the server.
• Memory leaks in duplicate subscriptions #433
  • Identical subscriptions being sent multiple times causes memory leaks.
• Don't handle promisedParams error twice #514
  • Small issue but arrises consistency issues.
• Multiple websocket connections created during reconnects (SubscriptionClient) #732, Multiple websocket instances accumulating in the browser after reconnection #548
  • A possible memory leak.
• WebSocket event listeners not cleaned up after WebSocket is closed #581
  • Another possible memory leak.
• Subscription stays active after successful subscription stop call (GQL_STOP message) #645
  • When a subscription start call GQL_START is not completed before a GQL_STOP call the client keeps receiving subscription events.
• GQL_CONNECTION_ERROR being sent from Client -> Server on exception during client connection #724
  • GQL_CONNECTION_ERROR is defined as a Server -> Client message. However, if an exception occurs while setting up the connection params or sending the GQL_CONNECTION_INIT - this message is sent from Client -> Server.
• WebSocket.onclose's reasons for disconnection are not passed to users #505
  • Client is in the dark about the disconnect reasons.