Description
Is there an existing issue for this?
- I've searched for any related issues and avoided creating a duplicate issue.
Description
I use this package for a websocket server. In the process of changing some options to try to make my websocket server slightly more resistant to DoS, I lowered the maxHeadersCount field on the HTTP server from its default of 2000 to a lower value. I then tested to see whether the server would reject requests with too many headers. Instead, the server crashed due to a TypeError from websocket-server.js line 246. This seems like a DoS issue.
I found this similar issue: #1838
ws version
8.17.0
Node.js Version
v21.5.0
System
OS: Debian GNU/Linux 12 (bookworm)
CPU: x64 Intel Core i5 CPU
Memory: 2.62 GB / 6.58 GB
Container: Yes
Shell: /bin/bash
Expected result
I expected the websocket server to refuse the handshake. Maybe respond with a 400 Bad Request. I did not expect my server app to crash from a TypeError.
Actual result
webpack://somewhere/node_modules/ws/lib/websocket-server.js:246
if (req.headers.upgrade.toLowerCase() !== 'websocket') {
^
TypeError: Cannot read properties of undefined (reading 'toLowerCase')
at handleUpgrade (webpack://somewhere/node_modules/ws/lib/websocket-server.js:246:29)
at Server.upgrade (webpack://somewhere/node_modules/ws/lib/websocket-server.js:119:16)
at Server.emit (node:events:519:28)
at onParserExecuteCommon (node:_http_server:942:14)
at onParserExecute (node:_http_server:836:3)
Node.js v21.5.0
Attachments
No response