Skip to content

Commit

Permalink
[security] Fix ReDoS vulnerability
Browse files Browse the repository at this point in the history
A specially crafted value of the `Sec-Websocket-Protocol` header could
be used to significantly slow down a ws server.

PoC and fix were sent privately by Robert McLaughlin from University of
California, Santa Barbara.
  • Loading branch information
lpinca committed Jun 1, 2021
1 parent d57db27 commit 78c676d
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion lib/websocket-server.js
Original file line number Diff line number Diff line change
Expand Up @@ -280,7 +280,7 @@ class WebSocketServer extends EventEmitter {
var protocol = req.headers['sec-websocket-protocol'];

if (protocol) {
protocol = protocol.trim().split(/ *, */);
protocol = protocol.split(',').map(trim);

//
// Optionally call external protocol selection handler.
Expand Down Expand Up @@ -399,3 +399,15 @@ function abortHandshake(socket, code, message, headers) {
socket.removeListener('error', socketOnError);
socket.destroy();
}

/**
* Remove whitespace characters from both ends of a string.
*
* @param {String} str The string
* @return {String} A new string representing `str` stripped of whitespace
* characters from both its beginning and end
* @private
*/
function trim(str) {
return str.trim();
}

0 comments on commit 78c676d

Please sign in to comment.