Fix bug in 16-bit frame length when buffer is a subarray by jawj · Pull Request #2106 · nodejs/undici (original) (raw)

added 2 commits

May 2, 2023 18:40

I was just bitten by this issue. Because buffer could be a subarray, the byteOffset and byteLength arguments to new DataView() are required, otherwise the length value may be written at the wrong offset.

Alternatively, it looks like it would be simpler (and it also works) to replace the patched line with buffer.writeUInt16BE(bodyLength, 2).

Fixed bug in 16-bit frame length when buffer is a subarray

…of DataView.setUint16, and added a test for the fix

kodiakhq Bot referenced this pull request in ascorbic/unpic-img

May 14, 2023

This was referenced

Jun 1, 2023

jawj mentioned this pull request

Jun 2, 2023

Kikobeats added a commit to vercel/vercel that referenced this pull request

Jun 20, 2023

We avoided to use undici.WebSocket because @jawj found a bug in the implementation.

The fix was merged in undici@5.22.1, so we can be back to use it.

The latest version of Edge Runtime exposes undici.WebSocket compatible with node.js 14, 16 & 18

Co-authored-by: Sean Massa endangeredmassa@gmail.com

metcoder95 pushed a commit to metcoder95/undici that referenced this pull request

Jul 21, 2023

kodiakhq Bot referenced this pull request in X-oss-byte/Canary-nextjs

Oct 1, 2023

kodiakhq Bot referenced this pull request in X-oss-byte/Nextjs

Oct 6, 2023

louis-bompart referenced this pull request in coveo/cli

Jan 16, 2024

…#1402)

](https://renovatebot.com)

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici
(source)	[`5.22.0` ->
`5.26.2`](https://renovatebot.com/diffs/npm/undici/5.22.0/5.26.2)
](https://docs.renovatebot.com/merge-confidence/)

](https://docs.renovatebot.com/merge-confidence/)

](https://docs.renovatebot.com/merge-confidence/)

](https://docs.renovatebot.com/merge-confidence/)

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Release Notes

nodejs/undici (undici)

`v5.26.2`

Compare Source

Security Release, CVE-2023-45143.

What's Changed

bump engines to node >= 16 by @ronag in https://github.com/nodejs/undici/pull/2119
Revert "bump engines to node >= 16 (#2119)" by

@ronag in https://github.com/nodejs/undici/pull/2121

fetch: set referrer properly by @KhafraDev in https://github.com/nodejs/undici/pull/2125
fix: support truncated gzip by @jimmywarting in https://github.com/nodejs/undici/pull/2126
workflow: apply security best practices by @step-security-bot in https://github.com/nodejs/undici/pull/2130
build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in https://github.com/nodejs/undici/pull/2135
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @dependabot in https://github.com/nodejs/undici/pull/2133
build(deps): bump node from 18-alpine to 20-alpine in /build by @dependabot in https://github.com/nodejs/undici/pull/2131
build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by @dependabot in https://github.com/nodejs/undici/pull/2136
build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in https://github.com/nodejs/undici/pull/2132
build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2142
build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by @dependabot in https://github.com/nodejs/undici/pull/2148
fix(pr): use correct pr template file by @AugustinMauroy in https://github.com/nodejs/undici/pull/2141
Additional WebSocket send tests to cover all payload size categories by @jawj in https://github.com/nodejs/undici/pull/2149
fix: reverse decompression order of "Content-Encoding" encodings (fixes #2158) by @rychkog in https://github.com/nodejs/undici/pull/2159
fix: keep running WPTs if a test times out by @KhafraDev in https://github.com/nodejs/undici/pull/2165
feat: add build environment info by @mhdawson in https://github.com/nodejs/undici/pull/2168
fix: forward error reason to fetch controller by @KhafraDev in https://github.com/nodejs/undici/pull/2172
stricter types for bodymixin.json by @KhafraDev in https://github.com/nodejs/undici/pull/2181
chore: Renable autoSelectFamily tests. by @ShogunPanda in https://github.com/nodejs/undici/pull/2180
build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @dependabot in https://github.com/nodejs/undici/pull/2147
build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by @dependabot in https://github.com/nodejs/undici/pull/2185
fix: fetch resource timing performance entry names should be strings by @GaryWilber in https://github.com/nodejs/undici/pull/2188
build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in https://github.com/nodejs/undici/pull/2176
build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by @dependabot in https://github.com/nodejs/undici/pull/2177
build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in https://github.com/nodejs/undici/pull/2178
build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @dependabot in https://github.com/nodejs/undici/pull/2175
test: fix autoselectfamily on platforms without IPv6 support by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2197
fix: make multipart/form-data boundary string more consistent by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2196
docs: add proxy agent options docs by @dancastillo in https://github.com/nodejs/undici/pull/2193
build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by @dependabot in https://github.com/nodejs/undici/pull/2205
feat: make use of addAbortListener where applicable by @atlowChemi in https://github.com/nodejs/undici/pull/2195

New Contributors

@step-security-bot made their first contribution in https://github.com/nodejs/undici/pull/2130
@AugustinMauroy made their first contribution in https://github.com/nodejs/undici/pull/2141
@rychkog made their first contribution in https://github.com/nodejs/undici/pull/2159
@mhdawson made their first contribution in https://github.com/nodejs/undici/pull/2168
@GaryWilber made their first contribution in https://github.com/nodejs/undici/pull/2188
@atlowChemi made their first contribution in https://github.com/nodejs/undici/pull/2195

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

`v5.22.1`

Compare Source

What's Changed

Cache storage by @KhafraDev in https://github.com/nodejs/undici/pull/2076
test: skip content-disposition test in node 18 by @KhafraDev in https://github.com/nodejs/undici/pull/2081
Cache storage cleanup by @KhafraDev in https://github.com/nodejs/undici/pull/2082
Cache storage fixes by @KhafraDev in https://github.com/nodejs/undici/pull/2083
test: improve test coverage for ErrorEvent and MessageEvent by @KhafraDev in https://github.com/nodejs/undici/pull/2085
test: remove --experimental-wasm-simd by @KhafraDev in https://github.com/nodejs/undici/pull/2087
websocket: add websocketinit by @KhafraDev in https://github.com/nodejs/undici/pull/2088
feat(websocket): allow setting custom headers by @KhafraDev in https://github.com/nodejs/undici/pull/2089
test: fix tests failing only on node v20 by @KhafraDev in https://github.com/nodejs/undici/pull/2096
fix: skip set content-length when FormData value is stream by @fengmk2 in https://github.com/nodejs/undici/pull/2091
doc: update outdated command in contributing.md by @jazelly in https://github.com/nodejs/undici/pull/2099
cache: fix most failing WPTs by @KhafraDev in https://github.com/nodejs/undici/pull/2100
feat: allow build:wasm to auto detect platform by @jazelly in https://github.com/nodejs/undici/pull/2102
docs: updated Error documentation (fixes #2090) by @titanism in https://github.com/nodejs/undici/pull/2092
mimesniff: fix many broken tests by @KhafraDev in https://github.com/nodejs/undici/pull/2103
test: fix failing tests by @KhafraDev in https://github.com/nodejs/undici/pull/2097
build(deps): bump github/codeql-action from 2.2.9 to 2.3.2 by @dependabot in https://github.com/nodejs/undici/pull/2105
fix: more informative error message to tell that the server doesn't match http/1.1 protocol by @Songkeys in https://github.com/nodejs/undici/pull/2055
Fix bug in 16-bit frame length when buffer is a subarray by @jawj in https://github.com/nodejs/undici/pull/2106
update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2108
fix: update error definitions by @dfilatov in https://github.com/nodejs/undici/pull/2112
fix: make assertion a noop by @ronag in https://github.com/nodejs/undici/pull/2111

New Contributors

@jazelly made their first contribution in https://github.com/nodejs/undici/pull/2099
@titanism made their first contribution in https://github.com/nodejs/undici/pull/2092
@Songkeys made their first contribution in https://github.com/nodejs/undici/pull/2055
@jawj made their first contribution in https://github.com/nodejs/undici/pull/2106
@dfilatov made their first contribution in https://github.com/nodejs/undici/pull/2112

Full Changelog: nodejs/undici@v5.22.0...v5.22.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Co-authored-by: developer-experience-bot[bot] <91079284+developer-experience-bot[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

crysmags pushed a commit to crysmags/undici that referenced this pull request

Feb 27, 2024

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})

Fix bug in 16-bit frame length when buffer is a subarray by jawj · Pull Request #2106 · nodejs/undici (original) (raw)

GitHub Vulnerability Alerts

Impact

Patches

Release Notes

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

Notable Changes

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

Configuration