Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency ws to 6.2.2 [SECURITY] #647

Merged
merged 1 commit into from Jul 11, 2021
Merged

Update dependency ws to 6.2.2 [SECURITY] #647

merged 1 commit into from Jul 11, 2021

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 29, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change
ws 6.2.1 -> 6.2.2

GitHub Vulnerability Alerts

CVE-2021-32640

Impact

A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server.

Proof of concept

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();

  value.trim().split(/ *, */);

  const end = process.hrtime.bigint();

  console.log('length = %d, time = %f ns', length, end - start);
}

Patches

The vulnerability was fixed in ws@7.4.6 (websockets/ws@00c425e) and backported to ws@6.2.2 (websockets/ws@78c676d) and ws@5.2.3 (websockets/ws@76d47c1).

Workarounds

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

Credits

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@codeclimate
Copy link

codeclimate bot commented Jun 29, 2021

Code Climate has analyzed commit ee72853 and detected 0 issues on this pull request.

View more on Code Climate.

@codecov
Copy link

codecov bot commented Jun 29, 2021

Codecov Report

Merging #647 (ee72853) into master (ba96c64) will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #647   +/-   ##
=======================================
  Coverage   36.06%   36.06%           
=======================================
  Files           3        3           
  Lines          61       61           
  Branches        8        8           
=======================================
  Hits           22       22           
  Misses         39       39

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ba96c64...ee72853. Read the comment docs.

@satanTime satanTime merged commit 0cf38ca into master Jul 11, 2021
@renovate renovate bot deleted the renovate/root/npm-ws-vulnerability branch July 11, 2021 10:52
@satanTime
Copy link
Owner

v1.1.3 has been released and contains a fix for the issue. Feel free to reopen the issue or to submit a new one if you meet any problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@satanTime satanTime satanTime approved these changes

Assignees
No one assigned
Labels
released v1.1.3
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@satanTime @renovate-bot