-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added options.maxPayload for websocket clients #1402
Conversation
Can you please elaborate a bit? I think that if a server sends frames so big that can't be handled by clients, it's a server problem. There is no DoS in this case. |
I am using websockets as a network protocol in an untrusted peer-to-peer network. Each peer in this network has a server and client role. Because peers do not trust other peers in this network, there must be a DoS protection on the websocket client interface. I am not sure if these changes are of any added value for the project. It may help people that use websockets in an untrusted environment however. |
Ok thanks for the explanation. The option needs to be documented in https://github.com/websockets/ws/blob/master/doc/ws.md and at least one test should be added before this can be merged. |
I also think this is a breaking change. The connection should not be closed if a frame bigger than 100 MiB is received on the client without bumping the major version. |
I have included the requested testcase for option.maxPayload. Furthermore, perMessageDeflate in client mode now also works with options.maxPayload. |
I did not find a section on maxPayload sizes in the ietf for v13: https://tools.ietf.org/html/draft-ietf-hybi-thewebsocketprotocol-13 I guess we do not have to bump the protocolVersion for this change. |
|
Thank you. |
## Version **6.0.0** of **ws** was just published. <table> <tr> <th align=left> Dependency </th> <td> <a target=_blank href=https://github.com/websockets/ws>ws</a> </td> </tr> <tr> <th align=left> Current Version </th> <td> 5.2.2 </td> </tr> <tr> <th align=left> Type </th> <td> dependency </td> </tr> </table> The version **6.0.0** is **not covered** by your **current version range**. If you don’t accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update. It might be worth looking into these changes and trying to get this project onto the latest version of ws. If you have a solid test suite and good coverage, a passing build is a strong indicator that you can take advantage of these changes directly by merging the proposed change into your project. If the build fails or you don’t have such unconditional trust in your tests, this branch is a great starting point for you to work on the update. --- <details> <summary>Release Notes</summary> <strong>6.0.0</strong> <h1>Breaking changes</h1> <ul> <li>Dropped support for Node.js 4 (<a class="commit-link" href="https://urls.greenkeeper.io/websockets/ws/commit/d73885c3f7c70b583030d683d9a0a025c98fbe00"><tt>d73885c</tt></a>).</li> <li>Added a shim that throws an error when used if the package is bundled for the<br> browser (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="310221102" data-permission-text="Issue title is private" data-url="websockets/ws#1345" href="https://urls.greenkeeper.io/websockets/ws/pull/1345">#1345</a>).</li> <li>Added a <code>maxPayload</code> option on the client. Defaults to 100 MiB (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="333186455" data-permission-text="Issue title is private" data-url="websockets/ws#1402" href="https://urls.greenkeeper.io/websockets/ws/pull/1402">#1402</a>).</li> <li>Dropped support for the <code>memLevel</code> and <code>level</code> options. Use<br> <code>zlibDeflateOptions</code> instead. (<a class="commit-link" href="https://urls.greenkeeper.io/websockets/ws/commit/80e20021f314d66e80032ecb8c2854ac61c6073c"><tt>80e2002</tt></a>).</li> </ul> </details> <details> <summary>Commits</summary> <p>The new version differs by 15 commits ahead by 15, behind by 2.</p> <ul> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/1ee42fd67d365409096c11af0d6bc70fbe292c60"><code>1ee42fd</code></a> <code>[dist] 6.0.0</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/d963003a40bfe6cdd58eb3d3e4458eb2b2090a2c"><code>d963003</code></a> <code>[example] Update dependencies</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/38d2e8b3f75ebccf8b0b205fafac959c1702ddfb"><code>38d2e8b</code></a> <code>chore(package): update eslint-plugin-node to version 7.0.0 (#1420)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/fc957939460cd0c461618bef4c6d59a9b5a4b90e"><code>fc95793</code></a> <code>[fix] Fix use after invalidation bug</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/fbd43914ad557ed915c41108b2f98b508a720216"><code>fbd4391</code></a> <code>[fix] Fix compatibility with Node.js 6</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/b354cd138e62dcb1e4e05ce8b0bc097534f23d76"><code>b354cd1</code></a> <code>[minor] Remove no longer needed workaround for <code>socketPath</code> option</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/ef5a8f5f5e4d3843d318d2b8a463b49d8105bd2e"><code>ef5a8f5</code></a> <code>[pkg] Update eslint-plugin-standard to version 3.1.0</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/80e20021f314d66e80032ecb8c2854ac61c6073c"><code>80e2002</code></a> <code>[major] Drop support for the <code>memLevel</code> and <code>level</code> options</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/92d0a2e9fc2b1cca6eb1ddf88ec4347986164cb1"><code>92d0a2e</code></a> <code>[major] Add <code>maxPayload</code> option for the client (#1402)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/9f87842888688318464af498300395b197b29712"><code>9f87842</code></a> <code>[major] Make bundlers use a browser shim that throws an error (#1345)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/72bfbe84f3d747b96416a646728932c9181ceffd"><code>72bfbe8</code></a> <code>chore(package): update bufferutil to version 4.0.0 (#1413)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/5bb29ed019529f17a557d59b3eb5d9a14f9e5643"><code>5bb29ed</code></a> <code>chore(package): update utf-8-validate to version 5.0.0 (#1415)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/3bc6b9672f60b7178f115e51beaf4f664f91484c"><code>3bc6b96</code></a> <code>chore(package): update eslint to version 5.0.0 (#1403)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/d73885c3f7c70b583030d683d9a0a025c98fbe00"><code>d73885c</code></a> <code>[major] Drop support for Node.js 4</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/5d90141505dc41c129ab5d5228e37d49979d7541"><code>5d90141</code></a> <code>chore(package): update eslint-plugin-import to version 2.13.0 (#1405)</code></li> </ul> <p>See the <a href="https://urls.greenkeeper.io/websockets/ws/compare/5d55e52529167c25f4fec35cb4753294e75bf9f2...1ee42fd67d365409096c11af0d6bc70fbe292c60">full diff</a></p> </details> <details> <summary>FAQ and help</summary> There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html). If those don’t help, you can always [ask the humans behind Greenkeeper](https://github.com/greenkeeperio/greenkeeper/issues/new). </details> --- Your [Greenkeeper](https://greenkeeper.io) bot 🌴
## Version **6.0.0** of **ws** was just published. <table> <tr> <th align=left> Dependency </th> <td> <a target=_blank href=https://github.com/websockets/ws>ws</a> </td> </tr> <tr> <th align=left> Current Version </th> <td> 5.2.2 </td> </tr> <tr> <th align=left> Type </th> <td> dependency </td> </tr> </table> The version **6.0.0** is **not covered** by your **current version range**. If you don’t accept this pull request, your project will work just like it did before. However, you might be missing out on a bunch of new features, fixes and/or performance improvements from the dependency update. It might be worth looking into these changes and trying to get this project onto the latest version of ws. If you have a solid test suite and good coverage, a passing build is a strong indicator that you can take advantage of these changes directly by merging the proposed change into your project. If the build fails or you don’t have such unconditional trust in your tests, this branch is a great starting point for you to work on the update. --- <details> <summary>Release Notes</summary> <strong>6.0.0</strong> <h1>Breaking changes</h1> <ul> <li>Dropped support for Node.js 4 (<a class="commit-link" href="https://urls.greenkeeper.io/websockets/ws/commit/d73885c3f7c70b583030d683d9a0a025c98fbe00"><tt>d73885c</tt></a>).</li> <li>Added a shim that throws an error when used if the package is bundled for the<br> browser (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="310221102" data-permission-text="Issue title is private" data-url="websockets/ws#1345" href="https://urls.greenkeeper.io/websockets/ws/pull/1345">#1345</a>).</li> <li>Added a <code>maxPayload</code> option on the client. Defaults to 100 MiB (<a class="issue-link js-issue-link" data-error-text="Failed to load issue title" data-id="333186455" data-permission-text="Issue title is private" data-url="websockets/ws#1402" href="https://urls.greenkeeper.io/websockets/ws/pull/1402">#1402</a>).</li> <li>Dropped support for the <code>memLevel</code> and <code>level</code> options. Use<br> <code>zlibDeflateOptions</code> instead. (<a class="commit-link" href="https://urls.greenkeeper.io/websockets/ws/commit/80e20021f314d66e80032ecb8c2854ac61c6073c"><tt>80e2002</tt></a>).</li> </ul> </details> <details> <summary>Commits</summary> <p>The new version differs by 15 commits ahead by 15, behind by 2.</p> <ul> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/1ee42fd67d365409096c11af0d6bc70fbe292c60"><code>1ee42fd</code></a> <code>[dist] 6.0.0</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/d963003a40bfe6cdd58eb3d3e4458eb2b2090a2c"><code>d963003</code></a> <code>[example] Update dependencies</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/38d2e8b3f75ebccf8b0b205fafac959c1702ddfb"><code>38d2e8b</code></a> <code>chore(package): update eslint-plugin-node to version 7.0.0 (#1420)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/fc957939460cd0c461618bef4c6d59a9b5a4b90e"><code>fc95793</code></a> <code>[fix] Fix use after invalidation bug</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/fbd43914ad557ed915c41108b2f98b508a720216"><code>fbd4391</code></a> <code>[fix] Fix compatibility with Node.js 6</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/b354cd138e62dcb1e4e05ce8b0bc097534f23d76"><code>b354cd1</code></a> <code>[minor] Remove no longer needed workaround for <code>socketPath</code> option</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/ef5a8f5f5e4d3843d318d2b8a463b49d8105bd2e"><code>ef5a8f5</code></a> <code>[pkg] Update eslint-plugin-standard to version 3.1.0</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/80e20021f314d66e80032ecb8c2854ac61c6073c"><code>80e2002</code></a> <code>[major] Drop support for the <code>memLevel</code> and <code>level</code> options</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/92d0a2e9fc2b1cca6eb1ddf88ec4347986164cb1"><code>92d0a2e</code></a> <code>[major] Add <code>maxPayload</code> option for the client (#1402)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/9f87842888688318464af498300395b197b29712"><code>9f87842</code></a> <code>[major] Make bundlers use a browser shim that throws an error (#1345)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/72bfbe84f3d747b96416a646728932c9181ceffd"><code>72bfbe8</code></a> <code>chore(package): update bufferutil to version 4.0.0 (#1413)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/5bb29ed019529f17a557d59b3eb5d9a14f9e5643"><code>5bb29ed</code></a> <code>chore(package): update utf-8-validate to version 5.0.0 (#1415)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/3bc6b9672f60b7178f115e51beaf4f664f91484c"><code>3bc6b96</code></a> <code>chore(package): update eslint to version 5.0.0 (#1403)</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/d73885c3f7c70b583030d683d9a0a025c98fbe00"><code>d73885c</code></a> <code>[major] Drop support for Node.js 4</code></li> <li><a href="https://urls.greenkeeper.io/websockets/ws/commit/5d90141505dc41c129ab5d5228e37d49979d7541"><code>5d90141</code></a> <code>chore(package): update eslint-plugin-import to version 2.13.0 (#1405)</code></li> </ul> <p>See the <a href="https://urls.greenkeeper.io/websockets/ws/compare/5d55e52529167c25f4fec35cb4753294e75bf9f2...1ee42fd67d365409096c11af0d6bc70fbe292c60">full diff</a></p> </details> <details> <summary>FAQ and help</summary> There is a collection of [frequently asked questions](https://greenkeeper.io/faq.html). If those don’t help, you can always [ask the humans behind Greenkeeper](https://github.com/greenkeeperio/greenkeeper/issues/new). </details> --- Your [Greenkeeper](https://greenkeeper.io) bot 🌴
I came across a situation where a websocket client instance needs to be protected against large messages. This pull request makes the option.maxPayload option available for client instances.