[security] Fix ReDoS vulnerability

A specially crafted value of the `Sec-Websocket-Protocol` header could be used to significantly slow down a ws server. PoC and fix were sent privately by Robert McLaughlin from University of California, Santa Barbara.
websockets · May 25, 2021 · 00c425e · 00c425e
1 parent 990306d
commit 00c425e
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/lib/websocket-server.js b/lib/websocket-server.js
@@ -286,7 +286,7 @@ class WebSocketServer extends EventEmitter {
     let protocol = req.headers['sec-websocket-protocol'];
 
     if (protocol) {
-      protocol = protocol.trim().split(/ *, */);
+      protocol = protocol.split(',').map(trim);
 
       //
       // Optionally call external protocol selection handler.
@@ -404,3 +404,15 @@ function abortHandshake(socket, code, message, headers) {
   socket.removeListener('error', socketOnError);
   socket.destroy();
 }
+
+/**
+ * Remove whitespace characters from both ends of a string.
+ *
+ * @param {String} str The string
+ * @return {String} A new string representing `str` stripped of whitespace
+ *     characters from both its beginning and end
+ * @private
+ */
+function trim(str) {
+  return str.trim();
+}