Skip to content
This repository has been archived by the owner on Feb 1, 2022. It is now read-only.

feat(InspectClient): validate sec-websocket-accept response header #93

Conversation

copperwall
Copy link

This addresses a TODO to validate that the sec-websocket-accept header in the websocket
handshake response is valid. To do this we need to append the Websocket GUID to the
original key sent in sec-websocket-key, sha1 hash it, and then compare the base64
encoding with the value sent in the sec-websocket-accept response header.

If they don't match, an error is thrown.

This addresses a TODO to validate that the sec-websocket-accept header in the websocket
handshake response is valid. To do this we need to append the Websocket GUID to the
original key sent in sec-websocket-key, sha1 hash it, and then compare the base64
encoding with the value sent in the sec-websocket-accept response header.

If they don't match, an error is thrown.
@Trott
Copy link
Member

Trott commented Jun 19, 2021

Similar to the other PR, if you want to open this one in the main repo, that would be fantastic. If not, I'll try to port it over because this is A Good Thing and we should include it!

I'll wait a bit before closing this one so I don't lose track of it....

@Trott
Copy link
Member

Trott commented Jul 11, 2021

Moved to nodejs/node#39357 and added a test.

@Trott Trott closed this Jul 11, 2021
Trott pushed a commit to Trott/io.js that referenced this pull request Jul 18, 2021
This addresses a TODO to validate that the sec-websocket-accept header
in the WebSocket handshake response is valid. To do this we need to
append the WebSocket GUID to the original key sent in sec-websocket-key,
sha1 hash it, and then compare the base64 encoding with the value sent
in the sec-websocket-accept response header.

If they don't match, an error is thrown.

PR-URL: nodejs#39357
Refs: nodejs/node-inspect#93
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Trott added a commit to Trott/io.js that referenced this pull request Jul 18, 2021
Trott pushed a commit to Trott/io.js that referenced this pull request Jul 18, 2021
This addresses a TODO to validate that the sec-websocket-accept header
in the WebSocket handshake response is valid. To do this we need to
append the WebSocket GUID to the original key sent in sec-websocket-key,
sha1 hash it, and then compare the base64 encoding with the value sent
in the sec-websocket-accept response header.

If they don't match, an error is thrown.

PR-URL: nodejs#39357
Refs: nodejs/node-inspect#93
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Trott added a commit to Trott/io.js that referenced this pull request Jul 18, 2021
targos pushed a commit to nodejs/node that referenced this pull request Jul 20, 2021
This addresses a TODO to validate that the sec-websocket-accept header
in the WebSocket handshake response is valid. To do this we need to
append the WebSocket GUID to the original key sent in sec-websocket-key,
sha1 hash it, and then compare the base64 encoding with the value sent
in the sec-websocket-accept response header.

If they don't match, an error is thrown.

PR-URL: #39357
Refs: nodejs/node-inspect#93
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
targos pushed a commit to nodejs/node that referenced this pull request Jul 20, 2021
PR-URL: #39357
Refs: nodejs/node-inspect#93
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
BethGriggs pushed a commit to nodejs/node that referenced this pull request Jul 29, 2021
This addresses a TODO to validate that the sec-websocket-accept header
in the WebSocket handshake response is valid. To do this we need to
append the WebSocket GUID to the original key sent in sec-websocket-key,
sha1 hash it, and then compare the base64 encoding with the value sent
in the sec-websocket-accept response header.

If they don't match, an error is thrown.

PR-URL: #39357
Refs: nodejs/node-inspect#93
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
BethGriggs pushed a commit to nodejs/node that referenced this pull request Jul 29, 2021
PR-URL: #39357
Refs: nodejs/node-inspect#93
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
targos pushed a commit to nodejs/node that referenced this pull request Sep 4, 2021
This addresses a TODO to validate that the sec-websocket-accept header
in the WebSocket handshake response is valid. To do this we need to
append the WebSocket GUID to the original key sent in sec-websocket-key,
sha1 hash it, and then compare the base64 encoding with the value sent
in the sec-websocket-accept response header.

If they don't match, an error is thrown.

PR-URL: #39357
Refs: nodejs/node-inspect#93
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
targos pushed a commit to nodejs/node that referenced this pull request Sep 4, 2021
PR-URL: #39357
Refs: nodejs/node-inspect#93
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants