fix: prevent crash when provided with an invalid query param

A specially crafted request could lead to the following exception: > TypeError: Cannot read properties of undefined (reading 'handlesUpgrades') > at Server.onWebSocket (build/server.js:515:67) This bug was introduced in [1], released in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. [1]: 7096e98
socketio · May 1, 2023 · fc480b4 · fc480b4
1 parent 0141951
commit fc480b4
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 2 deletions.
diff --git a/lib/server.ts b/lib/server.ts
@@ -682,7 +682,7 @@ export class Server extends BaseServer {
 
     const res = new WebSocketResponse(req, socket);
     const callback = (errorCode, errorContext) => {
-      if (errorCode) {
+      if (errorCode !== undefined) {
         this.emit("connection_error", {
           req,
           code: errorCode,

diff --git a/lib/userver.ts b/lib/userver.ts
@@ -165,7 +165,7 @@ export class uServer extends BaseServer {
     req.res = res;
 
     const callback = async (errorCode, errorContext) => {
-      if (errorCode) {
+      if (errorCode !== undefined) {
         this.emit("connection_error", {
           req,
           code: errorCode,

diff --git a/test/server.js b/test/server.js
@@ -11,6 +11,7 @@ const { ClientSocket, listen, createPartialDone } = require("./common");
 const expect = require("expect.js");
 const request = require("superagent");
 const cookieMod = require("cookie");
+const { WebSocket } = require("ws");
 
 /**
  * Tests.
@@ -197,6 +198,51 @@ describe("server", () => {
           });
       });
     });
+
+    it("should disallow `__proto__` as transport (polling)", (done) => {
+      const partialDone = createPartialDone(done, 2);
+
+      engine = listen((port) => {
+        engine.on("connection_error", (err) => {
+          expect(err.req).to.be.ok();
+          expect(err.code).to.be(0);
+          expect(err.message).to.be("Transport unknown");
+          expect(err.context.transport).to.be("__proto__");
+          partialDone();
+        });
+
+        request
+          .get(`http://localhost:${port}/engine.io/`)
+          .query({ transport: "__proto__", EIO: 4 })
+          .end((err, res) => {
+            expect(err).to.be.an(Error);
+            expect(res.status).to.be(400);
+            expect(res.body.code).to.be(0);
+            expect(res.body.message).to.be("Transport unknown");
+            partialDone();
+          });
+      });
+    });
+
+    it("should disallow `__proto__` as transport (websocket)", (done) => {
+      const partialDone = createPartialDone(done, 2);
+
+      engine = listen((port) => {
+        engine.on("connection_error", (err) => {
+          expect(err.req).to.be.ok();
+          expect(err.code).to.be(0);
+          expect(err.message).to.be("Transport unknown");
+          expect(err.context.transport).to.be("__proto__");
+          partialDone();
+        });
+
+        const socket = new WebSocket(
+          `ws://localhost:${port}/engine.io/?EIO=4&transport=__proto__`
+        );
+
+        socket.onerror = partialDone;
+      });
+    });
   });
 
   describe("handshake", () => {