update Sockjs 0.3.20 to fix ERR_STREAM_WRITE_AFTER_END

[peernohell]

On our server sometime we have error's about ERR_STREAM_WRITE_AFTER_END

Here the stack

Error [ERR_STREAM_WRITE_AFTER_END] [ERR_STREAM_WRITE_AFTER_END]: write after end
    at writeAfterEnd (_stream_writable.js:264:14)
    at Socket.Writable.write (_stream_writable.js:313:5)
    at Socket.Writable.end (_stream_writable.js:623:10)
    at Socket.end (net.js:584:31)
    at App.handle_404 (/opt/[...]/app/programs/server/npm/node_modules/meteor/ddp-server/node_modules/sockjs/lib/sockjs.js:61:11)
    at Listener.webjs_handler (/opt/[...]/app/programs/server/npm/node_modules/meteor/ddp-server/node_modules/sockjs/lib/webjs.js:115:28)
    at Listener.handler (/opt/[...]/app/programs/server/npm/node_modules/meteor/ddp-server/node_modules/sockjs/lib/sockjs.js:150:12)
    at Listener.handler (/opt/[...]/app/programs/server/npm/node_modules/meteor/ddp-server/node_modules/sockjs/lib/sockjs.js:6:59)
    at Server.<anonymous> (/opt/[...]/app/programs/server/npm/node_modules/meteor/ddp-server/node_modules/sockjs/lib/sockjs.js:157:24)
    at Server.new_handler (/opt/[...]/app/programs/server/npm/node_modules/meteor/ddp-server/node_modules/sockjs/lib/utils.js:86:19)
    at packages/ddp-server/stream_server.js:184:23
    at Array.forEach (<anonymous>)
    at Function._.each._.forEach (packages/underscore.js:139:11)
    at Server.newListener (packages/ddp-server/stream_server.js:183:11)
    at Server.emit (events.js:311:20)
    at Server.EventEmitter.emit (domain.js:482:12)
    at onParserExecuteCommon (_http_server.js:642:14)
    at onParserExecute (_http_server.js:583:3)

After a few search it seems to be this bug in SockJS sockjs/sockjs-node#252 and that have been fixed in 0.3.20

On ubuntu LTS
Meteor: 1.10.2
Node: 12.16.1

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[andsnw]

We experienced denial of service because of this.

I have created a proof of concept exploit code which you can test on your own Meteor server running SockJS 0.3.19 to instantly crash the container in 3 requests: https://github.com/andsnw/sockjs-dos-py

Disclosed to Snyk advisory as well: https://snyk.io/vuln/SNYK-JS-SOCKJS-575261

[StorytellerCZ]

@andsnw Can you try out: #11110
to see if that fixes your issue?

[juliusarden]

@StorytellerCZ Yes, #11110 fixes the issue that @andsnw mentioned.
tagging @filipenevola on this issue as well.

[evolross]

Just saw this same error in our Galaxy logs over the weekend on July 3rd. Looks like It crashed three out of six containers at the exact same time. Got complaints. Running Meteor 1.9.3. Guess we should probably update.

[filipenevola]

ddp-server@2.3.2 is published now.