From 22c28763234aa75a7e1b76f5c01c181260d7917f Mon Sep 17 00:00:00 2001 From: Luigi Pinca Date: Sun, 16 Jun 2024 13:00:51 +0200 Subject: [PATCH] [security] Fix crash when the Upgrade header cannot be read (#2231) It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230 --- lib/websocket-server.js | 4 +++- lib/websocket.js | 4 +++- test/websocket-server.test.js | 41 +++++++++++++++++++++++++++++++++++ test/websocket.test.js | 26 ++++++++++++++++++++++ 4 files changed, 73 insertions(+), 2 deletions(-) diff --git a/lib/websocket-server.js b/lib/websocket-server.js index fe7fdf501..8ead7d4a0 100644 --- a/lib/websocket-server.js +++ b/lib/websocket-server.js @@ -210,12 +210,14 @@ class WebSocketServer extends EventEmitter { req.headers['sec-websocket-key'] !== undefined ? req.headers['sec-websocket-key'].trim() : false; + const upgrade = req.headers.upgrade; const version = +req.headers['sec-websocket-version']; const extensions = {}; if ( req.method !== 'GET' || - req.headers.upgrade.toLowerCase() !== 'websocket' || + upgrade === undefined || + upgrade.toLowerCase() !== 'websocket' || !key || !keyRegex.test(key) || (version !== 8 && version !== 13) || diff --git a/lib/websocket.js b/lib/websocket.js index 1df89675d..14f82c823 100644 --- a/lib/websocket.js +++ b/lib/websocket.js @@ -799,7 +799,9 @@ function initAsClient(websocket, address, protocols, options) { req = websocket._req = null; - if (res.headers.upgrade.toLowerCase() !== 'websocket') { + const upgrade = res.headers.upgrade; + + if (upgrade === undefined || upgrade.toLowerCase() !== 'websocket') { abortHandshake(websocket, socket, 'Invalid Upgrade header'); return; } diff --git a/test/websocket-server.test.js b/test/websocket-server.test.js index 90ceb5646..08c62619b 100644 --- a/test/websocket-server.test.js +++ b/test/websocket-server.test.js @@ -494,6 +494,47 @@ describe('WebSocketServer', () => { }); describe('Connection establishing', () => { + it('fails if the Upgrade header field value cannot be read', (done) => { + const server = http.createServer(); + const wss = new WebSocket.Server({ noServer: true }); + + server.maxHeadersCount = 1; + + server.on('upgrade', (req, socket, head) => { + assert.deepStrictEqual(req.headers, { foo: 'bar' }); + wss.handleUpgrade(req, socket, head, () => { + done(new Error('Unexpected callback invocation')); + }); + }); + + server.listen(() => { + const req = http.get({ + port: server.address().port, + headers: { + foo: 'bar', + bar: 'baz', + Connection: 'Upgrade', + Upgrade: 'websocket' + } + }); + + req.on('response', (res) => { + assert.strictEqual(res.statusCode, 400); + + const chunks = []; + + res.on('data', (chunk) => { + chunks.push(chunk); + }); + + res.on('end', () => { + assert.strictEqual(Buffer.concat(chunks).toString(), 'Bad Request'); + server.close(done); + }); + }); + }); + }); + it('fails if the Sec-WebSocket-Key header is invalid (1/2)', (done) => { const wss = new WebSocket.Server({ port: 0 }, () => { const req = http.get({ diff --git a/test/websocket.test.js b/test/websocket.test.js index e058a06f4..add0c3b51 100644 --- a/test/websocket.test.js +++ b/test/websocket.test.js @@ -528,6 +528,32 @@ describe('WebSocket', () => { beforeEach((done) => server.listen(0, done)); afterEach((done) => server.close(done)); + it('fails if the Upgrade header field value cannot be read', (done) => { + server.once('upgrade', (req, socket) => { + socket.on('end', socket.end); + socket.write( + 'HTTP/1.1 101 Switching Protocols\r\n' + + 'Connection: Upgrade\r\n' + + 'Upgrade: websocket\r\n' + + '\r\n' + ); + }); + + const ws = new WebSocket(`ws://localhost:${server.address().port}`); + + ws._req.maxHeadersCount = 1; + + ws.on('upgrade', (res) => { + assert.deepStrictEqual(res.headers, { connection: 'Upgrade' }); + + ws.on('error', (err) => { + assert.ok(err instanceof Error); + assert.strictEqual(err.message, 'Invalid Upgrade header'); + done(); + }); + }); + }); + it('fails if the Upgrade header field value is not "websocket"', (done) => { server.once('upgrade', (req, socket) => { socket.on('end', socket.end);