add Sec-WebSocket-Key header verification

hirasawayuki · hirasawayuki · commit 3ae5d9c844ae · 2022-01-04T12:17:11.000+09:00
diff --git a/server.go b/server.go
@@ -154,8 +154,8 @@ func (u *Upgrader) Upgrade(w http.ResponseWriter, r *http.Request, responseHeade
 	}
 
 	challengeKey := r.Header.Get("Sec-Websocket-Key")
-	if challengeKey == "" {
-		return u.returnError(w, r, http.StatusBadRequest, "websocket: not a websocket handshake: 'Sec-WebSocket-Key' header is missing or blank")
+	if !isValidChallengeKey(challengeKey) {
+		return u.returnError(w, r, http.StatusBadRequest, "websocket: not a websocket handshake: 'Sec-WebSocket-Key' header must be Base64 encoded value of 16-byte in length")
 	}
 
 	subprotocol := u.selectSubprotocol(r, responseHeader)
diff --git a/util.go b/util.go
@@ -281,3 +281,18 @@ headers:
 	}
 	return result
 }
+
+// isValidChallengeKey checks if the argument meets RFC6455 specification.
+func isValidChallengeKey(s string) bool {
+	// From RFC6455:
+	//
+	// A |Sec-WebSocket-Key| header field with a base64-encoded (see
+	// Section 4 of [RFC4648]) value that, when decoded, is 16 bytes in
+	// length.
+
+	if s == "" {
+		return false
+	}
+	decoded, err := base64.StdEncoding.DecodeString(s)
+	return err == nil && len(decoded) == 16
+}

Original file line number	Diff line number	Diff line change
`@@ -154,8 +154,8 @@ func (u Upgrader) Upgrade(w http.ResponseWriter, r http.Request, responseHeade`
`154`	`154`	`}`
`155`	`155`
`156`	`156`	`challengeKey := r.Header.Get("Sec-Websocket-Key")`
`157`		`- if challengeKey == "" {`
`158`		`- return u.returnError(w, r, http.StatusBadRequest, "websocket: not a websocket handshake: 'Sec-WebSocket-Key' header is missing or blank")`
	`157`	`+ if !isValidChallengeKey(challengeKey) {`
	`158`	`+ return u.returnError(w, r, http.StatusBadRequest, "websocket: not a websocket handshake: 'Sec-WebSocket-Key' header must be Base64 encoded value of 16-byte in length")`
`159`	`159`	`}`
`160`	`160`
`161`	`161`	`subprotocol := u.selectSubprotocol(r, responseHeader)`