@@ -937,6 +937,21 @@ var require_errors = __commonJS({
937937 }
938938 [kSecureProxyConnectionError] = true;
939939 };
940+ var kMessageSizeExceededError = /* @__PURE__ */ Symbol.for("undici.error.UND_ERR_WS_MESSAGE_SIZE_EXCEEDED");
941+ var MessageSizeExceededError = class extends UndiciError {
942+ constructor(message) {
943+ super(message);
944+ this.name = "MessageSizeExceededError";
945+ this.message = message || "Max decompressed message size exceeded";
946+ this.code = "UND_ERR_WS_MESSAGE_SIZE_EXCEEDED";
947+ }
948+ static [Symbol.hasInstance](instance) {
949+ return instance && instance[kMessageSizeExceededError] === true;
950+ }
951+ get [kMessageSizeExceededError]() {
952+ return true;
953+ }
954+ };
940955 module2.exports = {
941956 AbortError: AbortError3,
942957 HTTPParserError,
@@ -960,7 +975,8 @@ var require_errors = __commonJS({
960975 ResponseExceededMaxSizeError,
961976 RequestRetryError,
962977 ResponseError,
963- SecureProxyConnectionError
978+ SecureProxyConnectionError,
979+ MessageSizeExceededError
964980 };
965981 }
966982});
@@ -1970,6 +1986,9 @@ var require_request = __commonJS({
19701986 if (upgrade && typeof upgrade !== "string") {
19711987 throw new InvalidArgumentError("upgrade must be a string");
19721988 }
1989+ if (upgrade && !isValidHeaderValue(upgrade)) {
1990+ throw new InvalidArgumentError("invalid upgrade header");
1991+ }
19731992 if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) {
19741993 throw new InvalidArgumentError("invalid headersTimeout");
19751994 }
@@ -2202,12 +2221,18 @@ var require_request = __commonJS({
22022221 } else {
22032222 val = `${val}`;
22042223 }
2205- if (request.host === null && headerName === "host") {
2224+ if (headerName === "host") {
2225+ if (request.host !== null) {
2226+ throw new InvalidArgumentError("duplicate host header");
2227+ }
22062228 if (typeof val !== "string") {
22072229 throw new InvalidArgumentError("invalid host header");
22082230 }
22092231 request.host = val;
2210- } else if (request.contentLength === null && headerName === "content-length") {
2232+ } else if (headerName === "content-length") {
2233+ if (request.contentLength !== null) {
2234+ throw new InvalidArgumentError("duplicate content-length header");
2235+ }
22112236 request.contentLength = parseInt(val, 10);
22122237 if (!Number.isFinite(request.contentLength)) {
22132238 throw new InvalidArgumentError("invalid content-length header");
@@ -16979,13 +17004,17 @@ var require_util7 = __commonJS({
1697917004 return extensionList;
1698017005 }
1698117006 function isValidClientWindowBits(value) {
17007+ if (value.length === 0) {
17008+ return false;
17009+ }
1698217010 for (let i = 0; i < value.length; i++) {
1698317011 const byte = value.charCodeAt(i);
1698417012 if (byte < 48 || byte > 57) {
1698517013 return false;
1698617014 }
1698717015 }
16988- return true;
17016+ const num = Number.parseInt(value, 10);
17017+ return num >= 8 && num <= 15;
1698917018 }
1699017019 var hasIntl = typeof process.versions.icu === "string";
1699117020 var fatalDecoder = hasIntl ? new TextDecoder("utf-8", { fatal: true }) : void 0;
@@ -17284,18 +17313,31 @@ var require_permessage_deflate = __commonJS({
1728417313 "use strict";
1728517314 var { createInflateRaw, Z_DEFAULT_WINDOWBITS } = require("node:zlib");
1728617315 var { isValidClientWindowBits } = require_util7();
17316+ var { MessageSizeExceededError } = require_errors();
1728717317 var tail = Buffer.from([0, 0, 255, 255]);
1728817318 var kBuffer = /* @__PURE__ */ Symbol("kBuffer");
1728917319 var kLength = /* @__PURE__ */ Symbol("kLength");
17320+ var kDefaultMaxDecompressedSize = 4 * 1024 * 1024;
1729017321 var PerMessageDeflate = class {
1729117322 /** @type {import('node:zlib').InflateRaw} */
1729217323 #inflate;
1729317324 #options = {};
17325+ /** @type {boolean} */
17326+ #aborted = false;
17327+ /** @type {Function|null} */
17328+ #currentCallback = null;
17329+ /**
17330+ * @param {Map<string, string>} extensions
17331+ */
1729417332 constructor(extensions) {
1729517333 this.#options.serverNoContextTakeover = extensions.has("server_no_context_takeover");
1729617334 this.#options.serverMaxWindowBits = extensions.get("server_max_window_bits");
1729717335 }
1729817336 decompress(chunk, fin, callback) {
17337+ if (this.#aborted) {
17338+ callback(new MessageSizeExceededError());
17339+ return;
17340+ }
1729917341 if (!this.#inflate) {
1730017342 let windowBits = Z_DEFAULT_WINDOWBITS;
1730117343 if (this.#options.serverMaxWindowBits) {
@@ -17305,26 +17347,51 @@ var require_permessage_deflate = __commonJS({
1730517347 }
1730617348 windowBits = Number.parseInt(this.#options.serverMaxWindowBits);
1730717349 }
17308- this.#inflate = createInflateRaw({ windowBits });
17350+ try {
17351+ this.#inflate = createInflateRaw({ windowBits });
17352+ } catch (err) {
17353+ callback(err);
17354+ return;
17355+ }
1730917356 this.#inflate[kBuffer] = [];
1731017357 this.#inflate[kLength] = 0;
1731117358 this.#inflate.on("data", (data) => {
17312- this.#inflate[kBuffer].push(data);
17359+ if (this.#aborted) {
17360+ return;
17361+ }
1731317362 this.#inflate[kLength] += data.length;
17363+ if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) {
17364+ this.#aborted = true;
17365+ this.#inflate.removeAllListeners();
17366+ this.#inflate.destroy();
17367+ this.#inflate = null;
17368+ if (this.#currentCallback) {
17369+ const cb = this.#currentCallback;
17370+ this.#currentCallback = null;
17371+ cb(new MessageSizeExceededError());
17372+ }
17373+ return;
17374+ }
17375+ this.#inflate[kBuffer].push(data);
1731417376 });
1731517377 this.#inflate.on("error", (err) => {
1731617378 this.#inflate = null;
1731717379 callback(err);
1731817380 });
1731917381 }
17382+ this.#currentCallback = callback;
1732017383 this.#inflate.write(chunk);
1732117384 if (fin) {
1732217385 this.#inflate.write(tail);
1732317386 }
1732417387 this.#inflate.flush(() => {
17388+ if (this.#aborted || !this.#inflate) {
17389+ return;
17390+ }
1732517391 const full = Buffer.concat(this.#inflate[kBuffer], this.#inflate[kLength]);
1732617392 this.#inflate[kBuffer].length = 0;
1732717393 this.#inflate[kLength] = 0;
17394+ this.#currentCallback = null;
1732817395 callback(null, full);
1732917396 });
1733017397 }
@@ -17364,6 +17431,10 @@ var require_receiver = __commonJS({
1736417431 #fragments = [];
1736517432 /** @type {Map<string, PerMessageDeflate>} */
1736617433 #extensions;
17434+ /**
17435+ * @param {import('./websocket').WebSocket} ws
17436+ * @param {Map<string, string>|null} extensions
17437+ */
1736717438 constructor(ws, extensions) {
1736817439 super();
1736917440 this.ws = ws;
@@ -17467,12 +17538,12 @@ var require_receiver = __commonJS({
1746717538 }
1746817539 const buffer3 = this.consume(8);
1746917540 const upper = buffer3.readUInt32BE(0);
17470- if (upper > 2 ** 31 - 1) {
17541+ const lower = buffer3.readUInt32BE(4);
17542+ if (upper !== 0 || lower > 2 ** 31 - 1) {
1747117543 failWebsocketConnection(this.ws, "Received payload length > 2^31 bytes.");
1747217544 return;
1747317545 }
17474- const lower = buffer3.readUInt32BE(4);
17475- this.#info.payloadLength = (upper << 8) + lower;
17546+ this.#info.payloadLength = lower;
1747617547 this.#state = parserStates.READ_DATA;
1747717548 } else if (this.#state === parserStates.READ_DATA) {
1747817549 if (this.#byteOffset < this.#info.payloadLength) {
@@ -17494,7 +17565,7 @@ var require_receiver = __commonJS({
1749417565 } else {
1749517566 this.#extensions.get("permessage-deflate").decompress(body2, this.#info.fin, (error2, data) => {
1749617567 if (error2) {
17497- closeWebSocketConnection (this.ws, 1007, error2.message, error2.message.length );
17568+ failWebsocketConnection (this.ws, error2.message);
1749817569 return;
1749917570 }
1750017571 this.#fragments.push(data);
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4&size=40){kind=avatar}
0 commit comments