Releases: websockets/ws
2.0.0-beta.0
[dist] 2.0.0-beta.0
1.1.1
1.1.0
Buffer vulnerability
There has been vulnerability in the ping functionality of the ws module which allowed clients to allocate memory by simply sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally we always transform all data that we need to send to a Buffer instance and this is where the problem was. We didn't do any checks for the type of data we were sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.
var x = new Buffer(100);
// vs
var x = new Buffer('100');This would allocate 100 bytes of memory in the first example and just 3 bytes with 100 as value in the second example. So when the server would receive a ping message of 1000 it would allocate 1000 bytes on the server and returned non-zeroed buffer to the client instead of the actual 100 message.
var ws = require('ws')
var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')
client.on('open', function () {
console.log('open')
client.ping(50) // this makes the server return a non-zeroed buffer of 50 bytes
client.on('pong', function (data) {
console.log('got pong')
console.log(data) // a non-zeroed out allocated buffer returned from the server
})
})As you can imagine that is pretty darn dangerous so we fixed it as soon as we received a heads up about this. So I would like to thank @feross and @mafintosh for discovering this vulnerability and disclosing it to me so it could be resolved asap.
Path forward
- Discontinued support for all node versions except for 0.12, 4.0 and 5.0. We should focus on the future and that will be Node 5 and ES6.
- Removed the client code. It was simple wrapper that really doesn't belong in a full ledged node.js library. If you want browser support you could just conditionally import it the WebSocket server.
var WS = window.WebSocket || require('ws') - Fixed a zlib issue that caused thrown errors.
- Binary addons have been completely removed. Even as optional dependency, it seems that npm is just unable to properly handle the builds causing installations to fail and lead to massive developer issues. While the dependencies have been removed, you can still optionally install things. See https://github.com/websockets/ws#opt-in-for-performance for additional information.
So future.. Ideally I want to start rewriting parts of the library in ES6 and completely clean up the code base. Pull requests for this are encouraged and appreciated <3 as this takes a lot of time.
optionalDependencies
The ws module have been plagued with build failures that was caused by it's optional compilation of binary add-ons. It used an installation hack instead of using optionalDependencies for it. Now if optional dependencies work correctly.. There shouldn't be any more build failures because of the binary addon building failed.
And as you might have noticed, we moved the repository to a new organization: websockets this allows us to more easily onboard people, split up everything in to more tiny maintainable modules etc.
IO.js
The 0.7 release ensures io.js compatibility by shipping with a new version of the NaN library which polyfills the differences between various of V8 and Node.js APIs.
Another notable change is that way we've exported the binary parts of the module. They seem to have caused some build failures in the past and thanks to patches of @pjump they are now resolved.
0.7 Is also the first release without a HISTORY.md file as we're moving everything to Github's release feature.