diff --git a/deps/undici/src/docs/docs/api/Errors.md b/deps/undici/src/docs/docs/api/Errors.md index c32868912a6d90..a6af44de762c2f 100644 --- a/deps/undici/src/docs/docs/api/Errors.md +++ b/deps/undici/src/docs/docs/api/Errors.md @@ -27,6 +27,7 @@ import { errors } from 'undici' | `InformationalError` | `UND_ERR_INFO` | expected error with reason | | `ResponseExceededMaxSizeError` | `UND_ERR_RES_EXCEEDED_MAX_SIZE` | response body exceed the max size allowed | | `SecureProxyConnectionError` | `UND_ERR_PRX_TLS` | tls connection to a proxy failed | +| `MessageSizeExceededError` | `UND_ERR_WS_MESSAGE_SIZE_EXCEEDED` | WebSocket decompressed message exceeded the maximum allowed size | ### `SocketError` diff --git a/deps/undici/src/docs/docs/api/WebSocket.md b/deps/undici/src/docs/docs/api/WebSocket.md index 9d374f4046c4ed..8b6f7b9cfdaeac 100644 --- a/deps/undici/src/docs/docs/api/WebSocket.md +++ b/deps/undici/src/docs/docs/api/WebSocket.md @@ -13,6 +13,14 @@ Arguments: * **url** `URL | string` - The url's protocol *must* be `ws` or `wss`. * **protocol** `string | string[] | WebSocketInit` (optional) - Subprotocol(s) to request the server use, or a [`Dispatcher`](./Dispatcher.md). +### WebSocketInit + +When passing an object as the second argument, the following options are available: + +* **protocols** `string | string[]` (optional) - Subprotocol(s) to request the server use. +* **dispatcher** `Dispatcher` (optional) - A custom [`Dispatcher`](/docs/docs/api/Dispatcher.md) to use for the connection. +* **headers** `HeadersInit` (optional) - Custom headers to include in the WebSocket handshake request. + ### Example: This example will not work in browsers or other platforms that don't allow passing an object. diff --git a/deps/undici/src/lib/core/errors.js b/deps/undici/src/lib/core/errors.js index 535c7339e3900e..202880132dbb3f 100644 --- a/deps/undici/src/lib/core/errors.js +++ b/deps/undici/src/lib/core/errors.js @@ -379,6 +379,24 @@ class SecureProxyConnectionError extends UndiciError { [kSecureProxyConnectionError] = true } +const kMessageSizeExceededError = Symbol.for('undici.error.UND_ERR_WS_MESSAGE_SIZE_EXCEEDED') +class MessageSizeExceededError extends UndiciError { + constructor (message) { + super(message) + this.name = 'MessageSizeExceededError' + this.message = message || 'Max decompressed message size exceeded' + this.code = 'UND_ERR_WS_MESSAGE_SIZE_EXCEEDED' + } + + static [Symbol.hasInstance] (instance) { + return instance && instance[kMessageSizeExceededError] === true + } + + get [kMessageSizeExceededError] () { + return true + } +} + module.exports = { AbortError, HTTPParserError, @@ -402,5 +420,6 @@ module.exports = { ResponseExceededMaxSizeError, RequestRetryError, ResponseError, - SecureProxyConnectionError + SecureProxyConnectionError, + MessageSizeExceededError } diff --git a/deps/undici/src/lib/core/request.js b/deps/undici/src/lib/core/request.js index 78003038ba97b0..4da60667ec2902 100644 --- a/deps/undici/src/lib/core/request.js +++ b/deps/undici/src/lib/core/request.js @@ -66,6 +66,10 @@ class Request { throw new InvalidArgumentError('upgrade must be a string') } + if (upgrade && !isValidHeaderValue(upgrade)) { + throw new InvalidArgumentError('invalid upgrade header') + } + if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) { throw new InvalidArgumentError('invalid headersTimeout') } @@ -360,13 +364,19 @@ function processHeader (request, key, val) { val = `${val}` } - if (request.host === null && headerName === 'host') { + if (headerName === 'host') { + if (request.host !== null) { + throw new InvalidArgumentError('duplicate host header') + } if (typeof val !== 'string') { throw new InvalidArgumentError('invalid host header') } // Consumed by Client request.host = val - } else if (request.contentLength === null && headerName === 'content-length') { + } else if (headerName === 'content-length') { + if (request.contentLength !== null) { + throw new InvalidArgumentError('duplicate content-length header') + } request.contentLength = parseInt(val, 10) if (!Number.isFinite(request.contentLength)) { throw new InvalidArgumentError('invalid content-length header') diff --git a/deps/undici/src/lib/llhttp/wasm_build_env.txt b/deps/undici/src/lib/llhttp/wasm_build_env.txt index d280a7ed81d025..7ccb566421391c 100644 --- a/deps/undici/src/lib/llhttp/wasm_build_env.txt +++ b/deps/undici/src/lib/llhttp/wasm_build_env.txt @@ -1,22 +1,22 @@ - -> undici@6.23.0 prebuild:wasm -> node build/wasm.js --prebuild - -> docker build --platform=linux/aarch64 -t llhttp_wasm_builder -f /Users/matteo/repos/node-private/deps/undici/src/build/Dockerfile /Users/matteo/repos/node-private/deps/undici/src - - - -> undici@6.23.0 build:wasm -> node build/wasm.js --docker - -> docker run --rm -t --platform=linux/aarch64 --mount type=bind,source=/Users/matteo/repos/node-private/deps/undici/src/lib/llhttp,target=/home/node/undici/lib/llhttp llhttp_wasm_builder node build/wasm.js - - + +> undici@6.24.1 prebuild:wasm +> node build/wasm.js --prebuild + +> docker build --platform=linux/x86_64 -t llhttp_wasm_builder -f /home/runner/work/node/node/deps/undici/src/build/Dockerfile /home/runner/work/node/node/deps/undici/src + + + +> undici@6.24.1 build:wasm +> node build/wasm.js --docker + +> docker run --rm -t --platform=linux/x86_64 --user 1000:1000 --mount type=bind,source=/home/runner/work/node/node/deps/undici/src/lib/llhttp,target=/home/node/undici/lib/llhttp llhttp_wasm_builder node build/wasm.js + + alpine-baselayout-3.4.3-r2 alpine-baselayout-data-3.4.3-r2 alpine-keys-2.4-r1 apk-tools-2.14.0-r5 -binutils-2.41-r0 +binutils-2.41-r1 busybox-1.36.1-r15 busybox-binsh-1.36.1-r15 ca-certificates-bundle-20230506-r0 @@ -37,15 +37,15 @@ libgomp-13.2.1_git20231014-r0 libssl3-3.1.4-r5 libstdc++-13.2.1_git20231014-r0 libstdc++-dev-13.2.1_git20231014-r0 -libxml2-2.11.8-r0 +libxml2-2.11.8-r3 lld-17.0.5-r0 lld-libs-17.0.5-r0 llvm17-libs-17.0.5-r0 llvm17-linker-tools-17.0.5-r0 mpc1-1.3.1-r1 mpfr4-4.2.1-r0 -musl-1.2.4_git20230717-r4 -musl-dev-1.2.4_git20230717-r4 +musl-1.2.4_git20230717-r5 +musl-dev-1.2.4_git20230717-r5 musl-utils-1.2.4_git20230717-r4 scanelf-1.3.7-r2 scudo-malloc-17.0.5-r0 @@ -54,7 +54,7 @@ wasi-compiler-rt-17.0.5-r1 wasi-libc-0.20231012-r0 wasi-libcxx-17.0.5-r0 wasi-sdk-20-r3 -xz-libs-5.4.5-r0 +xz-libs-5.4.5-r1 zlib-1.3.1-r0 zstd-libs-1.5.5-r8 diff --git a/deps/undici/src/lib/web/websocket/permessage-deflate.js b/deps/undici/src/lib/web/websocket/permessage-deflate.js index 76cb366d5e556f..1f1a13038afb5f 100644 --- a/deps/undici/src/lib/web/websocket/permessage-deflate.js +++ b/deps/undici/src/lib/web/websocket/permessage-deflate.js @@ -2,17 +2,30 @@ const { createInflateRaw, Z_DEFAULT_WINDOWBITS } = require('node:zlib') const { isValidClientWindowBits } = require('./util') +const { MessageSizeExceededError } = require('../../core/errors') const tail = Buffer.from([0x00, 0x00, 0xff, 0xff]) const kBuffer = Symbol('kBuffer') const kLength = Symbol('kLength') +// Default maximum decompressed message size: 4 MB +const kDefaultMaxDecompressedSize = 4 * 1024 * 1024 + class PerMessageDeflate { /** @type {import('node:zlib').InflateRaw} */ #inflate #options = {} + /** @type {boolean} */ + #aborted = false + + /** @type {Function|null} */ + #currentCallback = null + + /** + * @param {Map} extensions + */ constructor (extensions) { this.#options.serverNoContextTakeover = extensions.has('server_no_context_takeover') this.#options.serverMaxWindowBits = extensions.get('server_max_window_bits') @@ -24,6 +37,11 @@ class PerMessageDeflate { // payload of the message. // 2. Decompress the resulting data using DEFLATE. + if (this.#aborted) { + callback(new MessageSizeExceededError()) + return + } + if (!this.#inflate) { let windowBits = Z_DEFAULT_WINDOWBITS @@ -36,13 +54,37 @@ class PerMessageDeflate { windowBits = Number.parseInt(this.#options.serverMaxWindowBits) } - this.#inflate = createInflateRaw({ windowBits }) + try { + this.#inflate = createInflateRaw({ windowBits }) + } catch (err) { + callback(err) + return + } this.#inflate[kBuffer] = [] this.#inflate[kLength] = 0 this.#inflate.on('data', (data) => { - this.#inflate[kBuffer].push(data) + if (this.#aborted) { + return + } + this.#inflate[kLength] += data.length + + if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) { + this.#aborted = true + this.#inflate.removeAllListeners() + this.#inflate.destroy() + this.#inflate = null + + if (this.#currentCallback) { + const cb = this.#currentCallback + this.#currentCallback = null + cb(new MessageSizeExceededError()) + } + return + } + + this.#inflate[kBuffer].push(data) }) this.#inflate.on('error', (err) => { @@ -51,16 +93,22 @@ class PerMessageDeflate { }) } + this.#currentCallback = callback this.#inflate.write(chunk) if (fin) { this.#inflate.write(tail) } this.#inflate.flush(() => { + if (this.#aborted || !this.#inflate) { + return + } + const full = Buffer.concat(this.#inflate[kBuffer], this.#inflate[kLength]) this.#inflate[kBuffer].length = 0 this.#inflate[kLength] = 0 + this.#currentCallback = null callback(null, full) }) diff --git a/deps/undici/src/lib/web/websocket/receiver.js b/deps/undici/src/lib/web/websocket/receiver.js index 581c251074c740..e7f75127aa583c 100644 --- a/deps/undici/src/lib/web/websocket/receiver.js +++ b/deps/undici/src/lib/web/websocket/receiver.js @@ -37,6 +37,10 @@ class ByteParser extends Writable { /** @type {Map} */ #extensions + /** + * @param {import('./websocket').WebSocket} ws + * @param {Map|null} extensions + */ constructor (ws, extensions) { super() @@ -179,6 +183,7 @@ class ByteParser extends Writable { const buffer = this.consume(8) const upper = buffer.readUInt32BE(0) + const lower = buffer.readUInt32BE(4) // 2^31 is the maximum bytes an arraybuffer can contain // on 32-bit systems. Although, on 64-bit systems, this is @@ -186,14 +191,12 @@ class ByteParser extends Writable { // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Errors/Invalid_array_length // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/common/globals.h;drc=1946212ac0100668f14eb9e2843bdd846e510a1e;bpv=1;bpt=1;l=1275 // https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/js-array-buffer.h;l=34;drc=1946212ac0100668f14eb9e2843bdd846e510a1e - if (upper > 2 ** 31 - 1) { + if (upper !== 0 || lower > 2 ** 31 - 1) { failWebsocketConnection(this.ws, 'Received payload length > 2^31 bytes.') return } - const lower = buffer.readUInt32BE(4) - - this.#info.payloadLength = (upper << 8) + lower + this.#info.payloadLength = lower this.#state = parserStates.READ_DATA } else if (this.#state === parserStates.READ_DATA) { if (this.#byteOffset < this.#info.payloadLength) { @@ -223,7 +226,7 @@ class ByteParser extends Writable { } else { this.#extensions.get('permessage-deflate').decompress(body, this.#info.fin, (error, data) => { if (error) { - closeWebSocketConnection(this.ws, 1007, error.message, error.message.length) + failWebsocketConnection(this.ws, error.message) return } diff --git a/deps/undici/src/lib/web/websocket/util.js b/deps/undici/src/lib/web/websocket/util.js index e5ce7899752511..2a04887f263290 100644 --- a/deps/undici/src/lib/web/websocket/util.js +++ b/deps/undici/src/lib/web/websocket/util.js @@ -266,6 +266,12 @@ function parseExtensions (extensions) { * @param {string} value */ function isValidClientWindowBits (value) { + // Must have at least one character + if (value.length === 0) { + return false + } + + // Check all characters are ASCII digits for (let i = 0; i < value.length; i++) { const byte = value.charCodeAt(i) @@ -274,7 +280,9 @@ function isValidClientWindowBits (value) { } } - return true + // Check numeric range: zlib requires windowBits in range 8-15 + const num = Number.parseInt(value, 10) + return num >= 8 && num <= 15 } // https://nodejs.org/api/intl.html#detecting-internationalization-support diff --git a/deps/undici/src/lib/web/websocket/websocket.js b/deps/undici/src/lib/web/websocket/websocket.js index e40530247566d8..aa2a20a4f6c9a3 100644 --- a/deps/undici/src/lib/web/websocket/websocket.js +++ b/deps/undici/src/lib/web/websocket/websocket.js @@ -431,7 +431,7 @@ class WebSocket extends EventTarget { * @see https://websockets.spec.whatwg.org/#feedback-from-the-protocol */ #onConnectionEstablished (response, parsedExtensions) { - // processResponse is called when the "response’s header list has been received and initialized." + // processResponse is called when the "response's header list has been received and initialized." // once this happens, the connection is open this[kResponse] = response diff --git a/deps/undici/src/package.json b/deps/undici/src/package.json index 291ed14ba52600..0c57391efcc519 100644 --- a/deps/undici/src/package.json +++ b/deps/undici/src/package.json @@ -1,6 +1,6 @@ { "name": "undici", - "version": "6.23.0", + "version": "6.24.1", "description": "An HTTP/1.1 client, written from scratch for Node.js", "homepage": "https://undici.nodejs.org", "bugs": { @@ -107,6 +107,7 @@ "devDependencies": { "@fastify/busboy": "2.1.1", "@matteo.collina/tspl": "^0.1.1", + "@metcoder95/https-pem": "^1.0.0", "@sinonjs/fake-timers": "^11.1.0", "@types/node": "~18.19.50", "abort-controller": "^3.0.0", @@ -117,7 +118,6 @@ "fast-check": "^3.17.1", "form-data": "^4.0.0", "formdata-node": "^6.0.3", - "https-pem": "^3.0.0", "husky": "^9.0.7", "jest": "^29.0.2", "jsdom": "^24.0.0", diff --git a/deps/undici/src/scripts/generate-pem.js b/deps/undici/src/scripts/generate-pem.js index 0d7e628e209fa9..172701f183e791 100644 --- a/deps/undici/src/scripts/generate-pem.js +++ b/deps/undici/src/scripts/generate-pem.js @@ -1,3 +1,3 @@ /* istanbul ignore file */ -require('https-pem/install') +require('@metcoder95/https-pem/install') diff --git a/deps/undici/src/scripts/release.js b/deps/undici/src/scripts/release.js index ad8e84686697ae..68587a0c00daec 100644 --- a/deps/undici/src/scripts/release.js +++ b/deps/undici/src/scripts/release.js @@ -2,7 +2,7 @@ // Called from .github/workflows -const generateReleaseNotes = async ({ github, owner, repo, versionTag, defaultBranch }) => { +const generateReleaseNotes = async ({ github, owner, repo, versionTag, releaseBranch }) => { const { data: releases } = await github.rest.repos.listReleases({ owner, repo @@ -14,7 +14,7 @@ const generateReleaseNotes = async ({ github, owner, repo, versionTag, defaultBr owner, repo, tag_name: versionTag, - target_commitish: defaultBranch, + target_commitish: releaseBranch, previous_tag_name: previousRelease?.tag_name }) @@ -25,29 +25,29 @@ const generateReleaseNotes = async ({ github, owner, repo, versionTag, defaultBr return bodyWithoutReleasePr } -const generatePr = async ({ github, context, defaultBranch, versionTag }) => { +const generatePr = async ({ github, context, releaseBranch, versionTag }) => { const { owner, repo } = context.repo - const releaseNotes = await generateReleaseNotes({ github, owner, repo, versionTag, defaultBranch }) + const releaseNotes = await generateReleaseNotes({ github, owner, repo, versionTag, releaseBranch }) await github.rest.pulls.create({ owner, repo, head: `release/${versionTag}`, - base: defaultBranch, + base: releaseBranch, title: `[Release] ${versionTag}`, body: releaseNotes }) } -const release = async ({ github, context, defaultBranch, versionTag }) => { +const release = async ({ github, context, releaseBranch, versionTag }) => { const { owner, repo } = context.repo - const releaseNotes = await generateReleaseNotes({ github, owner, repo, versionTag, defaultBranch }) + const releaseNotes = await generateReleaseNotes({ github, owner, repo, versionTag, releaseBranch }) await github.rest.repos.createRelease({ owner, repo, tag_name: versionTag, - target_commitish: defaultBranch, + target_commitish: releaseBranch, name: versionTag, body: releaseNotes, draft: false, diff --git a/deps/undici/src/types/errors.d.ts b/deps/undici/src/types/errors.d.ts index f6fb73b5a90396..654988423d7259 100644 --- a/deps/undici/src/types/errors.d.ts +++ b/deps/undici/src/types/errors.d.ts @@ -146,4 +146,10 @@ declare namespace Errors { name: 'SecureProxyConnectionError'; code: 'UND_ERR_PRX_TLS'; } + + /** WebSocket decompressed message exceeded maximum size. */ + export class MessageSizeExceededError extends UndiciError { + name: 'MessageSizeExceededError' + code: 'UND_ERR_WS_MESSAGE_SIZE_EXCEEDED' + } } diff --git a/deps/undici/undici.js b/deps/undici/undici.js index 39d03219ba35c6..d7b149b36673ff 100644 --- a/deps/undici/undici.js +++ b/deps/undici/undici.js @@ -389,6 +389,24 @@ var require_errors = __commonJS({ } [kSecureProxyConnectionError] = true; }; + var kMessageSizeExceededError = Symbol.for("undici.error.UND_ERR_WS_MESSAGE_SIZE_EXCEEDED"); + var MessageSizeExceededError = class extends UndiciError { + static { + __name(this, "MessageSizeExceededError"); + } + constructor(message) { + super(message); + this.name = "MessageSizeExceededError"; + this.message = message || "Max decompressed message size exceeded"; + this.code = "UND_ERR_WS_MESSAGE_SIZE_EXCEEDED"; + } + static [Symbol.hasInstance](instance) { + return instance && instance[kMessageSizeExceededError] === true; + } + get [kMessageSizeExceededError]() { + return true; + } + }; module2.exports = { AbortError, HTTPParserError, @@ -412,7 +430,8 @@ var require_errors = __commonJS({ ResponseExceededMaxSizeError, RequestRetryError, ResponseError, - SecureProxyConnectionError + SecureProxyConnectionError, + MessageSizeExceededError }; } }); @@ -2031,6 +2050,9 @@ var require_request = __commonJS({ if (upgrade && typeof upgrade !== "string") { throw new InvalidArgumentError("upgrade must be a string"); } + if (upgrade && !isValidHeaderValue(upgrade)) { + throw new InvalidArgumentError("invalid upgrade header"); + } if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) { throw new InvalidArgumentError("invalid headersTimeout"); } @@ -2263,12 +2285,18 @@ var require_request = __commonJS({ } else { val = `${val}`; } - if (request.host === null && headerName === "host") { + if (headerName === "host") { + if (request.host !== null) { + throw new InvalidArgumentError("duplicate host header"); + } if (typeof val !== "string") { throw new InvalidArgumentError("invalid host header"); } request.host = val; - } else if (request.contentLength === null && headerName === "content-length") { + } else if (headerName === "content-length") { + if (request.contentLength !== null) { + throw new InvalidArgumentError("duplicate content-length header"); + } request.contentLength = parseInt(val, 10); if (!Number.isFinite(request.contentLength)) { throw new InvalidArgumentError("invalid content-length header"); @@ -11972,13 +12000,17 @@ var require_util3 = __commonJS({ } __name(parseExtensions, "parseExtensions"); function isValidClientWindowBits(value) { + if (value.length === 0) { + return false; + } for (let i = 0; i < value.length; i++) { const byte = value.charCodeAt(i); if (byte < 48 || byte > 57) { return false; } } - return true; + const num = Number.parseInt(value, 10); + return num >= 8 && num <= 15; } __name(isValidClientWindowBits, "isValidClientWindowBits"); var hasIntl = typeof process.versions.icu === "string"; @@ -12287,9 +12319,11 @@ var require_permessage_deflate = __commonJS({ "use strict"; var { createInflateRaw, Z_DEFAULT_WINDOWBITS } = require("node:zlib"); var { isValidClientWindowBits } = require_util3(); + var { MessageSizeExceededError } = require_errors(); var tail = Buffer.from([0, 0, 255, 255]); var kBuffer = Symbol("kBuffer"); var kLength = Symbol("kLength"); + var kDefaultMaxDecompressedSize = 4 * 1024 * 1024; var PerMessageDeflate = class { static { __name(this, "PerMessageDeflate"); @@ -12297,11 +12331,22 @@ var require_permessage_deflate = __commonJS({ /** @type {import('node:zlib').InflateRaw} */ #inflate; #options = {}; + /** @type {boolean} */ + #aborted = false; + /** @type {Function|null} */ + #currentCallback = null; + /** + * @param {Map} extensions + */ constructor(extensions) { this.#options.serverNoContextTakeover = extensions.has("server_no_context_takeover"); this.#options.serverMaxWindowBits = extensions.get("server_max_window_bits"); } decompress(chunk, fin, callback) { + if (this.#aborted) { + callback(new MessageSizeExceededError()); + return; + } if (!this.#inflate) { let windowBits = Z_DEFAULT_WINDOWBITS; if (this.#options.serverMaxWindowBits) { @@ -12311,26 +12356,51 @@ var require_permessage_deflate = __commonJS({ } windowBits = Number.parseInt(this.#options.serverMaxWindowBits); } - this.#inflate = createInflateRaw({ windowBits }); + try { + this.#inflate = createInflateRaw({ windowBits }); + } catch (err) { + callback(err); + return; + } this.#inflate[kBuffer] = []; this.#inflate[kLength] = 0; this.#inflate.on("data", (data) => { - this.#inflate[kBuffer].push(data); + if (this.#aborted) { + return; + } this.#inflate[kLength] += data.length; + if (this.#inflate[kLength] > kDefaultMaxDecompressedSize) { + this.#aborted = true; + this.#inflate.removeAllListeners(); + this.#inflate.destroy(); + this.#inflate = null; + if (this.#currentCallback) { + const cb = this.#currentCallback; + this.#currentCallback = null; + cb(new MessageSizeExceededError()); + } + return; + } + this.#inflate[kBuffer].push(data); }); this.#inflate.on("error", (err) => { this.#inflate = null; callback(err); }); } + this.#currentCallback = callback; this.#inflate.write(chunk); if (fin) { this.#inflate.write(tail); } this.#inflate.flush(() => { + if (this.#aborted || !this.#inflate) { + return; + } const full = Buffer.concat(this.#inflate[kBuffer], this.#inflate[kLength]); this.#inflate[kBuffer].length = 0; this.#inflate[kLength] = 0; + this.#currentCallback = null; callback(null, full); }); } @@ -12373,6 +12443,10 @@ var require_receiver = __commonJS({ #fragments = []; /** @type {Map} */ #extensions; + /** + * @param {import('./websocket').WebSocket} ws + * @param {Map|null} extensions + */ constructor(ws, extensions) { super(); this.ws = ws; @@ -12476,12 +12550,12 @@ var require_receiver = __commonJS({ } const buffer = this.consume(8); const upper = buffer.readUInt32BE(0); - if (upper > 2 ** 31 - 1) { + const lower = buffer.readUInt32BE(4); + if (upper !== 0 || lower > 2 ** 31 - 1) { failWebsocketConnection(this.ws, "Received payload length > 2^31 bytes."); return; } - const lower = buffer.readUInt32BE(4); - this.#info.payloadLength = (upper << 8) + lower; + this.#info.payloadLength = lower; this.#state = parserStates.READ_DATA; } else if (this.#state === parserStates.READ_DATA) { if (this.#byteOffset < this.#info.payloadLength) { @@ -12503,7 +12577,7 @@ var require_receiver = __commonJS({ } else { this.#extensions.get("permessage-deflate").decompress(body, this.#info.fin, (error, data) => { if (error) { - closeWebSocketConnection(this.ws, 1007, error.message, error.message.length); + failWebsocketConnection(this.ws, error.message); return; } this.#fragments.push(data); diff --git a/src/undici_version.h b/src/undici_version.h index b966ee1999b420..080aa30ea137dd 100644 --- a/src/undici_version.h +++ b/src/undici_version.h @@ -2,5 +2,5 @@ // Refer to tools/dep_updaters/update-undici.sh #ifndef SRC_UNDICI_VERSION_H_ #define SRC_UNDICI_VERSION_H_ -#define UNDICI_VERSION "6.23.0" +#define UNDICI_VERSION "6.24.1" #endif // SRC_UNDICI_VERSION_H_