[security] Fix ReDoS vulnerability

A specially crafted value of the `Sec-Websocket-Protocol` header could be used to significantly slow down a ws server. PoC and fix were sent privately by Robert McLaughlin from University of California, Santa Barbara.
websockets · Jun 1, 2021 · 78c676d · 78c676d
1 parent d57db27
commit 78c676d
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/lib/websocket-server.js b/lib/websocket-server.js
@@ -280,7 +280,7 @@ class WebSocketServer extends EventEmitter {
  var protocol = req.headers['sec-websocket-protocol'];
 
  if (protocol) {
- protocol = protocol.trim().split(/ *, */);
+ protocol = protocol.split(',').map(trim);
 
  //
  // Optionally call external protocol selection handler.
@@ -399,3 +399,15 @@ function abortHandshake(socket, code, message, headers) {
  socket.removeListener('error', socketOnError);
  socket.destroy();
 }
+
+/**
+ * Remove whitespace characters from both ends of a string.
+ *
+ * @param {String} str The string
+ * @return {String} A new string representing `str` stripped of whitespace
+ * characters from both its beginning and end
+ * @private
+ */
+function trim(str) {
+ return str.trim();
+}