allow http & https websocket urls by KhafraDev · Pull Request #2218 · nodejs/undici (original) (raw)

@KhafraDev

@KhafraDev

@codecov-commenter

Codecov Report

Patch coverage: 77.77% and project coverage change: -0.04% ⚠️

Comparison is base (f08379c) 85.93% compared to head (3e44f60) 85.90%.

Additional details and impacted files

@@ Coverage Diff @@ ## main #2218 +/- ##

Files Changed Coverage Δ
lib/websocket/websocket.js 92.01% <77.77%> (-1.22%) ⬇️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@KhafraDev

@KhafraDev

anonrig

// 3. If urlRecord’s scheme is not "ws" or "wss", then throw a
// "SyntaxError" DOMException.
// 4. If urlRecord’s scheme is "http", then set urlRecord’s scheme to "ws".
if (urlRecord.protocol === 'http:') {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you store the protocol in a variable so it doesn't trigger the getter everytime?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can't do this because the protocol might be changed

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Line 75 and 77 triggers the protocol getters, which can just be removed into one.

ronag

anonrig

urlRecord.protocol = 'wss:'
}
// 6. If urlRecord’s scheme is not "ws" or "wss", then throw a "SyntaxError" DOMException.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The next line triggers the protocol getters, and can just be replaced buy a boolean variable. The getters of URLs splices the string, and avoiding them is a good practice imho.

// 3. If urlRecord’s scheme is not "ws" or "wss", then throw a
// "SyntaxError" DOMException.
// 4. If urlRecord’s scheme is "http", then set urlRecord’s scheme to "ws".
if (urlRecord.protocol === 'http:') {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Line 75 and 77 triggers the protocol getters, which can just be removed into one.

// 7. If urlRecord’s fragment is non-null, then throw a "SyntaxError"
// DOMException.
if (urlRecord.hash) {
if (urlRecord.hash |

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should have a method in the WHATWG url to get if the fragment is non-null.

Nit: urlRecord.hash.length > 0 || urlRecord.href.endsWith('#')

@KhafraDev

I think we can leave possible performance improvements to a dedicated PR, maybe once or if this lands in core when there might be more contributors

@metcoder95

After the h2 work, I'll try to spend some time on the performance topics.

@mcollina

how does this work? May I ask for a quick example? It's hard to grasp from the wpts.

@KhafraDev

it's the same as using a ws or wss url:

new WebSocket('http://websocket') // is the same as new WebSocket('ws://websocket')

new WebSocket('https://websocket') // is the same as new WebSocket('wss://websocket')

from the PR that added this: "They are instantly normalized to the ws: and wss: schemes."

kodiakhq Bot referenced this pull request in ascorbic/unpic-img

Sep 11, 2023

@renovate

kodiakhq Bot referenced this pull request in X-oss-byte/Canary-nextjs

Oct 1, 2023

@renovate

kodiakhq Bot referenced this pull request in X-oss-byte/Nextjs

Oct 6, 2023

@renovate

kfcampbell referenced this pull request in octokit/rest.js

Oct 16, 2023

@renovate

Mend Renovate](https://renovatebot.com)

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici
(source) [5.22.1 ->
5.26.2](https://renovatebot.com/diffs/npm/undici/5.22.1/5.26.2)
age](https://docs.renovatebot.com/merge-confidence/)
adoption](https://docs.renovatebot.com/merge-confidence/)
passing](https://docs.renovatebot.com/merge-confidence/)
confidence](https://docs.renovatebot.com/merge-confidence/)

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

@​ronag in https://github.com/nodejs/undici/pull/2121

New Contributors

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

renovate Bot referenced this pull request in specfy/specfy

Oct 16, 2023

@renovate

Mend Renovate](https://renovatebot.com)

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici
(source) [5.23.0 ->
5.26.2](https://renovatebot.com/diffs/npm/undici/5.23.0/5.26.2)
age](https://docs.renovatebot.com/merge-confidence/)
adoption](https://docs.renovatebot.com/merge-confidence/)
passing](https://docs.renovatebot.com/merge-confidence/)
confidence](https://docs.renovatebot.com/merge-confidence/)

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

louis-bompart referenced this pull request in coveo/cli

Jan 16, 2024

@renovate @developer-experience-bot

…#1402)

Mend Renovate](https://renovatebot.com)

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici
(source) [5.22.0 ->
5.26.2](https://renovatebot.com/diffs/npm/undici/5.22.0/5.26.2)
age](https://docs.renovatebot.com/merge-confidence/)
adoption](https://docs.renovatebot.com/merge-confidence/)
passing](https://docs.renovatebot.com/merge-confidence/)
confidence](https://docs.renovatebot.com/merge-confidence/)

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

@​ronag in https://github.com/nodejs/undici/pull/2121

New Contributors

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

v5.22.1

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.22.0...v5.22.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.

Co-authored-by: developer-experience-bot[bot] <91079284+developer-experience-bot[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

crysmags pushed a commit to crysmags/undici that referenced this pull request

Feb 27, 2024

@KhafraDev @crysmags

This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters

[ Show hidden characters]({{ revealButtonHref }})