Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check origin header for websocket connection #1603

Merged
merged 3 commits into from Dec 21, 2018
Merged

check origin header for websocket connection #1603

merged 3 commits into from Dec 21, 2018

Conversation

sokra
Copy link
Member

@sokra sokra commented Dec 21, 2018
edited

  • This is a bugfix
  • This is a feature
  • This is a code refactor
  • This is a test update
  • This is a docs update
  • This is a metadata update

For Bugs and Features; did you add new tests?

no

Motivation / Use-Case

security fix

Breaking Changes

websocket is now checked for origin

Additional Info

hackel
Copy link

@hackel hackel commented on f18e5ad Nov 9, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any chance this security fix could be backported to 2.x?
Just noticed this. https://nodesecurity.io/advisories/725

alexander-akait
Copy link
Member

@alexander-akait alexander-akait commented on f18e5ad Nov 9, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, please update to 3 version, 2 is deprecated

aeegvk
Copy link

@aeegvk aeegvk commented on f18e5ad Jan 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to suggested version 3.1.11 and latest version 3.1.14 but still getting a vulnerability report. How come?

oles
Copy link
Contributor

@oles oles commented on f18e5ad Jan 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Experiencing the same as @aeegvk.

Seems like the error is in https://www.npmjs.com/advisories/725 though.

charlesfaustin
Copy link

@charlesfaustin charlesfaustin commented on f18e5ad Jan 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to suggested version 3.1.11 and latest version 3.1.14 but still getting a vulnerability report. How come?

there appears to be a typo in the npm vulnerability database
https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

@alexander-akait
Copy link
Member

@alexander-akait alexander-akait commented Dec 21, 2018

Need fix lint problems

@codecov
Copy link

@codecov codecov bot commented Dec 21, 2018
edited

Codecov Report

Merging #1603 into master will increase coverage by 0.03%.
The diff coverage is 60%.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #1603      +/-   ##
=========================================
+ Coverage   74.06%   74.1%   +0.03%     
=========================================
  Files          10      10              
  Lines         671     672       +1     
=========================================
+ Hits          497     498       +1     
  Misses        174     174
Impacted Files Coverage Δ
lib/Server.js 81.47% <60%> (+0.05%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 68dd49a...7b9c846. Read the comment docs.

@alexander-akait alexander-akait merged commit b3217ca into master Dec 21, 2018
6 of 7 checks passed
@alexander-akait alexander-akait deleted the bugfix/origin-header branch Dec 21, 2018
matheus1lva pushed a commit to matheus1lva/GrCartuchos that referenced this issue Dec 21, 2018
@greenkeeper @matheus1lva
Update webpack-dev-server in group default to the latest version 🚀 (#74)
8ff5cb9 
## The devDependency [webpack-dev-server](https://github.com/webpack/webpack-dev-server) was updated from `3.1.10` to `3.1.11`.
This version is **not covered** by your **current version range**.

If you don’t accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update.

---

<details>
<summary>Release Notes for v3.1.11</summary>

<p><a name="user-content-3.1.11"></a></p>
<h2><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/compare/v3.1.10...v3.1.11">3.1.11</a> (2018-12-21)</h2>
<h3>Bug Fixes</h3>
<ul>
<li><strong>bin/options:</strong> correct check for color support (<code>options.color</code>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1555" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1555/hovercard">#1555</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/55398b5">55398b5</a>)</li>
<li><strong>package:</strong> update <code>spdy</code> v3.4.1...4.0.0 (assertion error) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1491" data-hovercard-type="issue" data-hovercard-url="/webpack/webpack-dev-server/issues/1491/hovercard">#1491</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1563" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1563/hovercard">#1563</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/7a3a257">7a3a257</a>)</li>
<li><strong>Server:</strong> correct <code>node</code> version checks (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1543" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1543/hovercard">#1543</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/927a2b3">927a2b3</a>)</li>
<li><strong>Server:</strong> mime type for wasm in contentBase directory (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1575" data-hovercard-type="issue" data-hovercard-url="/webpack/webpack-dev-server/issues/1575/hovercard">#1575</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1580" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1580/hovercard">#1580</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/fadae5d">fadae5d</a>)</li>
<li>add url for compatibility with webpack@5 (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1598" data-hovercard-type="issue" data-hovercard-url="/webpack/webpack-dev-server/issues/1598/hovercard">#1598</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1599" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1599/hovercard">#1599</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/68dd49a">68dd49a</a>)</li>
<li>check origin header for websocket connection (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/issues/1603" data-hovercard-type="pull_request" data-hovercard-url="/webpack/webpack-dev-server/pull/1603/hovercard">#1603</a>) (<a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/b3217ca">b3217ca</a>)</li>
</ul>
</details>

<details>
<summary>Commits</summary>
<p>The new version differs by 9 commits.</p>
<ul>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/ff2874f5f3a90e5727434cc10f69ac4d54896033"><code>ff2874f</code></a> <code>chore(release): 3.1.11</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/b3217ca8dc6b371a160b6749b949ab09d7b9f6d7"><code>b3217ca</code></a> <code>fix: check origin header for websocket connection (#1603)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/68dd49a5e44b270061e4746b2e01bbc72589ca3b"><code>68dd49a</code></a> <code>fix: add url for compatibility with webpack@5 (#1598) (#1599)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/fadae5da6ba0261cade08164feeaad99b1de6b79"><code>fadae5d</code></a> <code>fix(Server): mime type for wasm in contentBase directory (#1575) (#1580)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/7a3a2579179b2ca0fd91405d9872ba2c3ed8db3a"><code>7a3a257</code></a> <code>fix(package): update <code>spdy</code> v3.4.1...4.0.0 (assertion error) (#1491) (#1563)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/1fe82dee4eef600946b2601a2d853cffbe65db0a"><code>1fe82de</code></a> <code>ci(travis): Node 11 (on OS X) crashes, use 10 for now (#1588)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/55398b5de17b9a845b1ee5aaa90bb2002c25ddfb"><code>55398b5</code></a> <code>fix(bin/options): correct check for color support (<code>options.color</code>) (#1555)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/927a2b38d4d3a5d8fd50dfce0343634d46fa8a92"><code>927a2b3</code></a> <code>fix(Server): correct <code>node</code> version checks (#1543)</code></li>
<li><a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/commit/fa96a76e9e5507bbf874044be0d95872768abf5e"><code>fa96a76</code></a> <code>chore(PULL_REQUEST_TEMPLATE): allow features (#1539)</code></li>
</ul>
<p>See the <a href="https://urls.greenkeeper.io/webpack/webpack-dev-server/compare/fe3219f614ad84afbaab1ecbd1d9aec4ff337d37...ff2874f5f3a90e5727434cc10f69ac4d54896033">full diff</a></p>
</details>

<details>
  <summary>FAQ and help</summary>

  There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html). If those don’t help, you can always [ask the humans behind Greenkeeper](https://github.com/greenkeeperio/greenkeeper/issues/new).
</details>

---


Your [Greenkeeper](https://greenkeeper.io) bot 🌴
@3846masa 3846masa mentioned this pull request Dec 22, 2018
Merged
6 tasks
@3846masa 3846masa mentioned this pull request Dec 22, 2018
Closed
1 task
@3846masa 3846masa mentioned this pull request Dec 22, 2018
Merged
6 tasks
@seanlaff seanlaff mentioned this pull request Dec 23, 2018
Closed
@carlosgeos carlosgeos mentioned this pull request Jan 1, 2019
Open
@carlosgeos carlosgeos mentioned this pull request Jan 3, 2019
Closed
2 tasks
@stefanvermaas stefanvermaas mentioned this pull request Jan 7, 2019
Closed
@timfjord timfjord mentioned this pull request Jan 14, 2019
Merged
6 tasks
ticky added a commit to buildkite/frontend that referenced this issue Jan 30, 2019
@ticky
Add buildkite.localhost to allowedHosts
e8d97f5 
Avoids more strict behaviour introduced by webpack/webpack-dev-server#1603
@dependabot dependabot bot mentioned this pull request Mar 7, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 7, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 7, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 11, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 11, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 11, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 11, 2021
Closed
@dependabot dependabot bot mentioned this pull request Mar 11, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 11, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 12, 2021
Closed
@dependabot dependabot bot mentioned this pull request Mar 14, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 14, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 14, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 14, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 14, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Closed
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Closed
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Closed
@dependabot dependabot bot mentioned this pull request Mar 15, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 16, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 17, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 17, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 17, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 17, 2021
Closed
@dependabot dependabot bot mentioned this pull request Mar 17, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 18, 2021
Merged
@dependabot dependabot bot mentioned this pull request Mar 18, 2021
Open
@dependabot dependabot bot mentioned this pull request Mar 18, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexander-akait alexander-akait

@michael-ciniawsky michael-ciniawsky

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@sokra @alexander-akait @charlesfaustin @oles @aeegvk @hackel