[security] Fix crash when the Upgrade header cannot be read (#2231)

It is possible that the Upgrade header is correctly received and handled (the `'upgrade'` event is emitted) without its value being returned to the user. This can happen if the number of received headers exceed the `server.maxHeadersCount` or `request.maxHeadersCount` threshold. In this case `incomingMessage.headers.upgrade` may not be set. Handle the case correctly and abort the handshake. Fixes #2230
websockets · Jun 16, 2024 · eeb76d3 · eeb76d3
1 parent 9bdb580
commit eeb76d3
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/lib/websocket-server.js b/lib/websocket-server.js
@@ -186,12 +186,14 @@ class WebSocketServer extends EventEmitter {
  req.headers['sec-websocket-key'] !== undefined
  ? req.headers['sec-websocket-key'].trim()
  : false;
+ const upgrade = req.headers.upgrade;
  const version = +req.headers['sec-websocket-version'];
  const extensions = {};
 
  if (
  req.method !== 'GET' ||
- req.headers.upgrade.toLowerCase() !== 'websocket' ||
+ upgrade === undefined ||
+ upgrade.toLowerCase() !== 'websocket' ||
  !key ||
  !keyRegex.test(key) ||
  (version !== 8 && version !== 13) ||

diff --git a/test/websocket-server.test.js b/test/websocket-server.test.js
@@ -383,6 +383,47 @@ describe('WebSocketServer', () => {
  });
 
  describe('Connection establishing', () => {
+ it('fails if the Upgrade header field value cannot be read', (done) => {
+ const server = http.createServer();
+ const wss = new WebSocket.Server({ noServer: true });
+
+ server.maxHeadersCount = 1;
+
+ server.on('upgrade', (req, socket, head) => {
+ assert.deepStrictEqual(req.headers, { foo: 'bar' });
+ wss.handleUpgrade(req, socket, head, () => {
+ done(new Error('Unexpected callback invocation'));
+ });
+ });
+
+ server.listen(() => {
+ const req = http.get({
+ port: server.address().port,
+ headers: {
+ foo: 'bar',
+ bar: 'baz',
+ Connection: 'Upgrade',
+ Upgrade: 'websocket'
+ }
+ });
+
+ req.on('response', (res) => {
+ assert.strictEqual(res.statusCode, 400);
+
+ const chunks = [];
+
+ res.on('data', (chunk) => {
+ chunks.push(chunk);
+ });
+
+ res.on('end', () => {
+ assert.strictEqual(Buffer.concat(chunks).toString(), 'Bad Request');
+ server.close(done);
+ });
+ });
+ });
+ });
+
  it('fails if the Sec-WebSocket-Key header is invalid (1/2)', (done) => {
  const wss = new WebSocket.Server({ port: 0 }, () => {
  const req = http.get({