Comparing changes
Open a pull request
- 12 commits
- 32 files changed
- 4 contributors
Commits on Mar 12, 2026
-
fix(websocket): add maxDecompressedMessageSize limit for permessage-d…
…eflate Add protection against decompression bomb attacks in WebSocket permessage-deflate extension. A malicious server could send a small compressed payload that expands to an extremely large size, causing memory exhaustion. Changes: - Add maxDecompressedMessageSize option to WebSocket constructor - Default limit: 4 MB - Abort decompression immediately when limit exceeded - Close connection with status code 1009 (Message Too Big) - Add MessageSizeExceededError (UND_ERR_WS_MESSAGE_SIZE_EXCEEDED) - Add comprehensive tests for the new limit behavior - Update TypeScript types and documentation Signed-off-by: Matteo Collina <[email protected]> (cherry picked from commit 2ee00cb)
-
fix: validate server_max_window_bits range in permessage-deflate
The isValidClientWindowBits() function only checked for ASCII digits, allowing out-of-range values like "1000" to pass validation. When these values were passed to zlib's createInflateRaw(), it threw an unhandled RangeError that crashed the process. Changes: - Update isValidClientWindowBits() to validate range 8-15 (per RFC 7692) - Add try-catch around createInflateRaw() as defense in depth - Add comprehensive tests for windowBits validation (cherry picked from commit cb79c57)
-
fix: validate upgrade header to prevent CRLF injection
Add validation for the upgrade option in Request constructor using isValidHeaderValue() to prevent CRLF injection attacks that could enable protocol smuggling to internal services. Signed-off-by: Matteo Collina <[email protected]> Co-Authored-By: Ulises Gascón <[email protected]> Signed-off-by: Ulises Gascón <[email protected]> (cherry picked from commit 77594f9)
-
Fix websocket 64-bit length overflow
Signed-off-by: Matteo Collina <[email protected]> (cherry picked from commit 84235c6)
-
fix: reject duplicate content-length and host headers
When headers are passed as an array, reject duplicate content-length and host headers regardless of casing. This prevents malformed HTTP/1.1 requests with multiple Content-Length values from being sent on the wire. Previously, case-variant duplicates (e.g., 'Content-Length' and 'content-length') would bypass the duplicate check, resulting in ambiguous HTTP requests that could be interpreted inconsistently by proxies and backends. Signed-off-by: Matteo Collina <[email protected]> (cherry picked from commit 74495c6)
-
fix: adapt websocket frame-limit handling for v6 parser
Signed-off-by: Matteo Collina <[email protected]>
-
test: increase bitness in
test/fixtures/*.pem(#3659)(cherry picked from commit e04abdd)
-
* test: fix key-size pem errors * chore: use @metcoder95/https-pem * fix: ci * fix: ci (cherry picked from commit 8dd120e)
-
test: stabilize h2 and tls-cert-leak under current test runner
Signed-off-by: Matteo Collina <[email protected]>
-
test: fix http2 lint regressions in backport
Signed-off-by: Matteo Collina <[email protected]>
-
test(websocket): use node:assert for Node 18 compatibility
Signed-off-by: Matteo Collina <[email protected]>
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v6.23.0...v6.24.0