Minor Changes
- #185
0b20ec6Thanks @ndisidore! - Add configurable receiver-side resource limits (RpcSessionOptions.limits) that cap bigint length, message nesting depth, and incoming message size to guard against untrusted-peer resource exhaustion (#184).
Patch Changes
-
#190
6e5c562Thanks @taylorodell! - Several correctness and robustness fixes:- Error deserialization no longer resolves an attacker-supplied error type name to an inherited
Object.prototypemember.ERROR_TYPESnow has a null prototype, so a wire value such as["error","constructor",...]no longer resolves toObject(which produced aStringwrapper instead of anError, bypassinginstanceof Errorchecks), and a name like"toString"no longer resolves to a non-constructor and throws. Unknown names correctly fall back toError. - Error deserialization now filters inherited
Object.prototypekeys (andtoJSON) out of an error's own-property bag, matching the behavior already applied when deserializing plain objects. Keys such as__proto__,toString, andvalueOfare no longer copied onto deserialized errors. - Resolving an import that has already been resolved now disposes the redundant resolution instead of overwriting (and leaking) the previous one.
- The
abortmessage handler now hands error handlers the unwrapped abort reason rather than the internal payload wrapper, matching therejecthandler. - WebSocket close reasons longer than the 123-byte limit are now truncated on a UTF-8 character boundary, so aborting a session with a long reason no longer throws from
WebSocket.close().
- Error deserialization no longer resolves an attacker-supplied error type name to an inherited