[security] Fix ReDoS vulnerability

lpinca · lpinca · commit 00c425ec7799 · 2021-05-25T18:09:51.000+02:00
A specially crafted value of the `Sec-Websocket-Protocol` header could
be used to significantly slow down a ws server.

PoC and fix were sent privately by Robert McLaughlin from University of
California, Santa Barbara.
diff --git a/lib/websocket-server.js b/lib/websocket-server.js
@@ -286,7 +286,7 @@ class WebSocketServer extends EventEmitter {
     let protocol = req.headers['sec-websocket-protocol'];
 
     if (protocol) {
-      protocol = protocol.trim().split(/ *, */);
+      protocol = protocol.split(',').map(trim);
 
       //
       // Optionally call external protocol selection handler.
@@ -404,3 +404,15 @@ function abortHandshake(socket, code, message, headers) {
   socket.removeListener('error', socketOnError);
   socket.destroy();
 }
+
+/**
+ * Remove whitespace characters from both ends of a string.
+ *
+ * @param {String} str The string
+ * @return {String} A new string representing `str` stripped of whitespace
+ *     characters from both its beginning and end
+ * @private
+ */
+function trim(str) {
+  return str.trim();
+}
