Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

check origin header for websocket connection #1603

Merged
merged 3 commits into from Dec 21, 2018
Merged

Conversation

sokra
Copy link
Member

@sokra sokra commented Dec 21, 2018

  • This is a bugfix
  • This is a feature
  • This is a code refactor
  • This is a test update
  • This is a docs update
  • This is a metadata update

For Bugs and Features; did you add new tests?

no

Motivation / Use-Case

security fix

Breaking Changes

websocket is now checked for origin

Additional Info

hackel
Copy link

@hackel hackel commented on f18e5ad Nov 9, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any chance this security fix could be backported to 2.x?
Just noticed this. https://nodesecurity.io/advisories/725

alexander-akait
Copy link
Member

@alexander-akait alexander-akait commented on f18e5ad Nov 9, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, please update to 3 version, 2 is deprecated

aeegvk
Copy link

@aeegvk aeegvk commented on f18e5ad Jan 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to suggested version 3.1.11 and latest version 3.1.14 but still getting a vulnerability report. How come?

oles
Copy link
Contributor

@oles oles commented on f18e5ad Jan 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Experiencing the same as @aeegvk.

Seems like the error is in https://www.npmjs.com/advisories/725 though.

charlesfaustin
Copy link

@charlesfaustin charlesfaustin commented on f18e5ad Jan 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to suggested version 3.1.11 and latest version 3.1.14 but still getting a vulnerability report. How come?

there appears to be a typo in the npm vulnerability database
https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

@alexander-akait
Copy link
Member

@alexander-akait alexander-akait commented Dec 21, 2018

Need fix lint problems

@codecov
Copy link

@codecov codecov bot commented Dec 21, 2018

Codecov Report

Merging #1603 into master will increase coverage by 0.03%.
The diff coverage is 60%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #1603      +/-   ##
=========================================
+ Coverage   74.06%   74.1%   +0.03%     
=========================================
  Files          10      10              
  Lines         671     672       +1     
=========================================
+ Hits          497     498       +1     
  Misses        174     174
Impacted Files Coverage Δ
lib/Server.js 81.47% <60%> (+0.05%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 68dd49a...7b9c846. Read the comment docs.

@alexander-akait alexander-akait merged commit b3217ca into master Dec 21, 2018
6 of 7 checks passed
@alexander-akait alexander-akait deleted the bugfix/origin-header branch Dec 21, 2018
matheus1lva pushed a commit to matheus1lva/GrCartuchos that referenced this issue Dec 21, 2018
## The devDependency [webpack-dev-server](https://github.com/webpack/webpack-dev-server) was updated from `3.1.10` to `3.1.11`.
This version is **not covered** by your **current version range**.

If you don’t accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update.

---

<details>
<summary>Release Notes for v3.1.11</summary>

<p><a name="user-content-3.1.11"></a></p>
<h2><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/compare/v3.1.10...v3.1.11">3.1.11</a> (2018-12-21)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>bin/options:</strong> correct check for color support (<code>options.color</code>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1555" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1555/hovercard">#1555</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/55398b5">55398b5</a>)</li>
<li><strong>package:</strong> update <code>spdy</code> v3.4.1...4.0.0 (assertion error) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1491" data-hovercard-type="issue" data-hovercard-url="/webpack/webpack-dev-server/issues/1491/hovercard">#1491</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1563" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1563/hovercard">#1563</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/7a3a257">7a3a257</a>)</li>
<li><strong>Server:</strong> correct <code>node</code> version checks (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1543" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1543/hovercard">#1543</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/927a2b3">927a2b3</a>)</li>
<li><strong>Server:</strong> mime type for wasm in contentBase directory (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1575" data-hovercard-type="issue" data-hovercard-url="/webpack/webpack-dev-server/issues/1575/hovercard">#1575</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1580" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1580/hovercard">#1580</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/fadae5d">fadae5d</a>)</li>
<li>add url for compatibility with webpack@5 (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1598" data-hovercard-type="issue" data-hovercard-url="/webpack/webpack-dev-server/issues/1598/hovercard">#1598</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1599" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1599/hovercard">#1599</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/68dd49a">68dd49a</a>)</li>
<li>check origin header for websocket connection (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1603" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1603/hovercard">#1603</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/b3217ca">b3217ca</a>)</li>
</ul>
</details>

<details>
<summary>Commits</summary>
<p>The new version differs by 9 commits.</p>
<ul>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/ff2874f5f3a90e5727434cc10f69ac4d54896033"><code>ff2874f</code></a> <code>chore(release): 3.1.11</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/b3217ca8dc6b371a160b6749b949ab09d7b9f6d7"><code>b3217ca</code></a> <code>fix: check origin header for websocket connection (#1603)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/68dd49a5e44b270061e4746b2e01bbc72589ca3b"><code>68dd49a</code></a> <code>fix: add url for compatibility with webpack@5 (#1598) (#1599)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/fadae5da6ba0261cade08164feeaad99b1de6b79"><code>fadae5d</code></a> <code>fix(Server): mime type for wasm in contentBase directory (#1575) (#1580)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/7a3a2579179b2ca0fd91405d9872ba2c3ed8db3a"><code>7a3a257</code></a> <code>fix(package): update <code>spdy</code> v3.4.1...4.0.0 (assertion error) (#1491) (#1563)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/1fe82dee4eef600946b2601a2d853cffbe65db0a"><code>1fe82de</code></a> <code>ci(travis): Node 11 (on OS X) crashes, use 10 for now (#1588)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/55398b5de17b9a845b1ee5aaa90bb2002c25ddfb"><code>55398b5</code></a> <code>fix(bin/options): correct check for color support (<code>options.color</code>) (#1555)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/927a2b38d4d3a5d8fd50dfce0343634d46fa8a92"><code>927a2b3</code></a> <code>fix(Server): correct <code>node</code> version checks (#1543)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/fa96a76e9e5507bbf874044be0d95872768abf5e"><code>fa96a76</code></a> <code>chore(PULL_REQUEST_TEMPLATE): allow features (#1539)</code></li>
</ul>
<p>See the <a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/compare/fe3219f614ad84afbaab1ecbd1d9aec4ff337d37...ff2874f5f3a90e5727434cc10f69ac4d54896033">full diff</a></p>
</details>

<details>
  <summary>FAQ and help</summary>

  There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html). If those don’t help, you can always [ask the humans behind Greenkeeper](https://github.com/greenkeeperio/greenkeeper/issues/new).
</details>

---


Your [Greenkeeper](https://greenkeeper.io) bot 🌴
@3846masa 3846masa mentioned this pull request Dec 22, 2018
6 tasks
ticky added a commit to buildkite/frontend that referenced this issue Jan 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants