Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade ws from 7.4.6 to 7.5.3 #7457

Merged
merged 6 commits into from
Jul 24, 2021

Conversation

snyk-bot
Copy link
Contributor

@snyk-bot snyk-bot commented Jul 8, 2021

Snyk has created this PR to upgrade ws from 7.4.6 to 7.5.0.

merge advice
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 1 version ahead of your current version.
  • The recommended version was released 22 days ago, on 2021-06-16.
Release notes
Package name: ws
  • 7.5.0 - 2021-06-16

    Features

    • Some errors now have a code property describing the specific type of error
      that has occurred (#1901).

    Bug fixes

    • A close frame is now sent to the remote peer if an error (such as a data
      framing error) occurs (8806aa9).
    • The close code is now always 1006 if no close frame is received, even if the
      connection is closed due to an error (8806aa9).
  • 7.4.6 - 2021-05-25

    Bug fixes

    • Fixed a ReDoS vulnerability (00c425e).

    A specially crafted value of the Sec-Websocket-Protocol header could be used
    to significantly slow down a ws server.

    for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
    const value = 'b' + ' '.repeat(length) + 'x';
    const start = process.hrtime.bigint();

    value.trim().split(/ , /);

    const end = process.hrtime.bigint();

    console.log('length = %d, time = %f ns', length, end - start);
    }

    The vulnerability was responsibly disclosed along with a fix in private by
    Robert McLaughlin from University of California, Santa Barbara.

    In vulnerable versions of ws, the issue can be mitigated by reducing the maximum
    allowed length of the request headers using the --max-http-header-size=size
    and/or the maxHeaderSize options.

from ws GitHub release notes
Commit messages
Package name: ws

Compare


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@mtrezza mtrezza added type:bug Impaired feature or lacking behavior that is likely assumed and removed type:bug Impaired feature or lacking behavior that is likely assumed labels Jul 11, 2021
@mtrezza
Copy link
Member

mtrezza commented Jul 23, 2021

Currently fails with:

1) ParseLiveQuery handle invalid websocket payload length
  - Uncaught exception: TypeError: Converting circular structure to JSON
      --> starting at object with constructor 'Timeout'
      |     property '_idlePrev' -> object with constructor 'TimersList'
      --- property '_idleNext' closes the circle

2) ParseLiveQuery LiveQuery with ACL
  - Unhandled promise rejection: ParseError: 101 Object not found.

@codecov
Copy link

codecov bot commented Jul 24, 2021

Codecov Report

Merging #7457 (4e8e42b) into master (39f7c83) will decrease coverage by 0.01%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7457      +/-   ##
==========================================
- Coverage   93.93%   93.91%   -0.02%     
==========================================
  Files         181      181              
  Lines       13251    13252       +1     
==========================================
- Hits        12447    12446       -1     
- Misses        804      806       +2     
Impacted Files Coverage Δ
src/LiveQuery/ParseWebSocketServer.js 93.33% <100.00%> (+0.22%) ⬆️
src/batch.js 91.37% <0.00%> (-1.73%) ⬇️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js 92.37% <0.00%> (-0.44%) ⬇️
src/ParseServerRESTController.js 98.50% <0.00%> (+1.49%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 39f7c83...4e8e42b. Read the comment docs.

@mtrezza
Copy link
Member

mtrezza commented Jul 24, 2021

Both errors were due to a circular object, for which JSON.stringify cannot be used --> using util.inspect instead.

Upgraded to 7.5.3 instead of Snyk's suggested 7.5.0 because these follow-up versions fixed some bugs.

@mtrezza mtrezza changed the title [Snyk] Upgrade ws from 7.4.6 to 7.5.0 [Snyk] Upgrade ws from 7.4.6 to 7.5.3 Jul 24, 2021
@mtrezza mtrezza merged commit c3b71ba into master Jul 24, 2021
@mtrezza mtrezza deleted the snyk-upgrade-075baae8bf5f793b5ed828810e08ddf9 branch July 24, 2021 23:54
SebC99 added a commit to hulab/parse-server that referenced this pull request Jul 26, 2021
* master: (55 commits)
  Accept context via header X-Parse-Cloud-Context (parse-community#7437)
  [Snyk] Upgrade ws from 7.4.6 to 7.5.3 (parse-community#7457)
  fix: upgrade @apollographql/graphql-playground-html from 1.6.28 to 1.6.29 (parse-community#7473)
  fix: upgrade @apollographql/graphql-playground-html from 1.6.27 to 1.6.28 (parse-community#7411)
  fix: upgrade graphql from 15.5.0 to 15.5.1 (parse-community#7462)
  [Snyk] Security upgrade parse from 3.2.0 to 3.3.0 (parse-community#7464)
  fix: upgrade apollo-server-express from 2.25.1 to 2.25.2 (parse-community#7465)
  fix: upgrade graphql-tag from 2.12.4 to 2.12.5 (parse-community#7466)
  fix: upgrade graphql-relay from 0.7.0 to 0.8.0 (parse-community#7467)
  Add MongoDB 5.0 support + bump CI env (parse-community#7469)
  changed twitter API endpoint for oauth test (parse-community#7472)
  add runtime deprecation warning (parse-community#7451)
  bumped node (parse-community#7452)
  fix: upgrade apollo-server-express from 2.25.0 to 2.25.1 (parse-community#7449)
  fix: upgrade subscriptions-transport-ws from 0.9.19 to 0.10.0 (parse-community#7450)
  fix: upgrade mongodb from 3.6.8 to 3.6.9 (parse-community#7445)
  fix: upgrade mongodb from 3.6.7 to 3.6.8 (parse-community#7430)
  fix: upgrade apollo-server-express from 2.24.1 to 2.25.0 (parse-community#7435)
  fix: upgrade ldapjs from 2.2.4 to 2.3.0 (parse-community#7436)
  fix: upgrade graphql-relay from 0.6.0 to 0.7.0 (parse-community#7443)
  ...
mtrezza added a commit to mtrezza/parse-server that referenced this pull request Aug 22, 2021
mtrezza added a commit that referenced this pull request Aug 23, 2021
* bump parse 3.3.0

* Update CHANGELOG.md

* update user test (PR #7464)

* fix Twitter API oauth Error (PR #7370)

* bumped dependencies

* Revert "bumped dependencies"

This reverts commit 97ad83d.

* bump @parse/push-adapter 3.4.1

* bump jwks-rsa@1.12.3

* bump mongodb@3.6.11

* bump ws@7.5.3

* changed logging for circular obj (PR #7457)

* Update CHANGELOG.md
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.0.0-beta.1

@parseplatformorg parseplatformorg added the state:released-beta Released as beta version label Nov 1, 2021
@parseplatformorg
Copy link
Contributor

🎉 This change has been released in version 5.0.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Mar 14, 2022
SebC99 pushed a commit to hulab/parse-server that referenced this pull request May 29, 2022
Squashed commits:
[1306da7] Merge pull request from GHSA-23r4-5mxp-c7g5
[3a5c38d] revert to version 4.5.0 for testing
[a3483d8] fix changelog skip 4.5.1
[3c42584] 4.5.2
[97b1dca] revert to version 4.5.0 for testing
[f3133ac] Release 4.10.1 (parse-community#7508)

* bump parse 3.3.0

* Update CHANGELOG.md

* update user test (PR parse-community#7464)

* fix Twitter API oauth Error (PR parse-community#7370)

* bumped dependencies

* Revert "bumped dependencies"

This reverts commit 97ad83d.

* bump @parse/push-adapter 3.4.1

* bump jwks-rsa@1.12.3

* bump mongodb@3.6.11

* bump ws@7.5.3

* changed logging for circular obj (PR parse-community#7457)

* Update CHANGELOG.md
[7e1da90] added changelog
[0e3cae5] audit fix
[f0d5232] bumped version
[4ac4b7f] Merge pull request from GHSA-7pr3-p5fm-8r9x

* fix: LQ deletes session token

* add 4.10.4

* add changes
[ef2ec21] ci: update docker image building (parse-community#7553)

* docker

* Update docker-publish.yml

* Update docker-publish.yml
[6ae5835] Merge pull request from GHSA-xqp8-w826-hh6x

* Backport the advisory fix

* Added a 4.10.3 section to CHANGELOG
[0bfa6b7] Release 4.10.2 (parse-community#7513)

* move graphql-tag from devDependencies to dependencies (parse-community#7183)

* bump version

* Update CHANGELOG.md
[0be0b87] bump version
SebC99 pushed a commit to hulab/parse-server that referenced this pull request Nov 10, 2022
Squashed commits:
[1306da7] Merge pull request from GHSA-23r4-5mxp-c7g5
[3a5c38d] revert to version 4.5.0 for testing
[a3483d8] fix changelog skip 4.5.1
[3c42584] 4.5.2
[97b1dca] revert to version 4.5.0 for testing
[f3133ac] Release 4.10.1 (parse-community#7508)

* bump parse 3.3.0

* Update CHANGELOG.md

* update user test (PR parse-community#7464)

* fix Twitter API oauth Error (PR parse-community#7370)

* bumped dependencies

* Revert "bumped dependencies"

This reverts commit 97ad83d.

* bump @parse/push-adapter 3.4.1

* bump jwks-rsa@1.12.3

* bump mongodb@3.6.11

* bump ws@7.5.3

* changed logging for circular obj (PR parse-community#7457)

* Update CHANGELOG.md
[7e1da90] added changelog
[0e3cae5] audit fix
[f0d5232] bumped version
[4ac4b7f] Merge pull request from GHSA-7pr3-p5fm-8r9x

* fix: LQ deletes session token

* add 4.10.4

* add changes
[ef2ec21] ci: update docker image building (parse-community#7553)

* docker

* Update docker-publish.yml

* Update docker-publish.yml
[6ae5835] Merge pull request from GHSA-xqp8-w826-hh6x

* Backport the advisory fix

* Added a 4.10.3 section to CHANGELOG
[0bfa6b7] Release 4.10.2 (parse-community#7513)

* move graphql-tag from devDependencies to dependencies (parse-community#7183)

* bump version

* Update CHANGELOG.md
[0be0b87] bump version
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
state:released Released as stable version state:released-beta Released as beta version
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants