engine.io - npm Package Compare versions

Comparing version 6.1.0 to 6.1.1

build/server.js

@@ -444,4 +444,2 @@ "use strict";
         else {
-            // transport error handling takes over
-            websocket.removeListener("error", onUpgradeError);
             const closeConnection = (errorCode, errorContext) => abortUpgrade(socket, errorCode, errorContext);
@@ -448,0 +446,0 @@ this.handshake(req._query.transport, req, closeConnection);

build/socket.js

@@ -6,2 +6,3 @@ "use strict";
 const debug_1 = require("debug");
+const timers_1 = require("timers");
 const debug = (0, debug_1.default)("engine:socket");
@@ -137,3 +138,3 @@ class Socket extends events_1.EventEmitter {
     schedulePing() {
-        this.pingIntervalTimer = setTimeout(() => {
+        this.pingIntervalTimer = (0, timers_1.setTimeout)(() => {
             debug("writing ping packet - expecting pong within %sms", this.server.opts.pingTimeout);
@@ -150,4 +151,4 @@ this.sendPacket("ping");
     resetPingTimeout(timeout) {
-        clearTimeout(this.pingTimeoutTimer);
-        this.pingTimeoutTimer = setTimeout(() => {
+        (0, timers_1.clearTimeout)(this.pingTimeoutTimer);
+        this.pingTimeoutTimer = (0, timers_1.setTimeout)(() => {
             if (this.readyState === "closed")
@@ -193,3 +194,3 @@ return;
         // set transport upgrade timer
-        this.upgradeTimeoutTimer = setTimeout(() => {
+        this.upgradeTimeoutTimer = (0, timers_1.setTimeout)(() => {
             debug("client did not complete upgrade - closing transport");
@@ -240,3 +241,3 @@ cleanup();
             this.checkIntervalTimer = null;
-            clearTimeout(this.upgradeTimeoutTimer);
+            (0, timers_1.clearTimeout)(this.upgradeTimeoutTimer);
             this.upgradeTimeoutTimer = null;
@@ -283,3 +284,3 @@ transport.removeListener("packet", onPacket);
         this.transport.close();
-        clearTimeout(this.pingTimeoutTimer);
+        (0, timers_1.clearTimeout)(this.pingTimeoutTimer);
     }
@@ -295,7 +296,7 @@ /**
             // clear timers
-            clearTimeout(this.pingIntervalTimer);
-            clearTimeout(this.pingTimeoutTimer);
+            (0, timers_1.clearTimeout)(this.pingIntervalTimer);
+            (0, timers_1.clearTimeout)(this.pingTimeoutTimer);
             clearInterval(this.checkIntervalTimer);
             this.checkIntervalTimer = null;
-            clearTimeout(this.upgradeTimeoutTimer);
+            (0, timers_1.clearTimeout)(this.upgradeTimeoutTimer);
             // clean writeBuffer in next tick, so developers can still
@@ -302,0 +303,0 @@ // grab the writeBuffer on 'close' event

CHANGELOG.md

@@ -0,1 +1,23 @@
+## [6.1.1](https://github.com/socketio/engine.io/compare/6.1.0...6.1.1) (2022-01-11)
+
+:warning: This release contains an important security fix :warning:
+
+A malicious client could send a specially crafted HTTP request, triggering an uncaught exception and killing the Node.js process:
+
+> RangeError: Invalid WebSocket frame: RSV2 and RSV3 must be clear
+>   at Receiver.getInfo (/.../node_modules/ws/lib/receiver.js:176:14)
+>   at Receiver.startLoop (/.../node_modules/ws/lib/receiver.js:136:22)
+>   at Receiver._write (/.../node_modules/ws/lib/receiver.js:83:10)
+>   at writeOrBuffer (internal/streams/writable.js:358:12)
+
+This bug was introduced by [this commit](https://github.com/socketio/engine.io/commit/f3c291fa613a9d50c924d74293035737fdace4f2), included in `engine.io@4.0.0`, so previous releases are not impacted.
+
+Thanks to Marcus Wejderot from Mevisio for the responsible disclosure.
+
+### Bug Fixes
+
+* properly handle invalid data sent by a malicious websocket client ([c0e194d](https://github.com/socketio/engine.io/commit/c0e194d44933bd83bf9a4b126fca68ba7bf5098c))
+
+
+
 # [6.1.0](https://github.com/socketio/engine.io/compare/6.0.0...6.1.0) (2021-11-08)
@@ -2,0 +24,0 @@

package.json

 {
   "name": "engine.io",
-  "version": "6.1.0",
+  "version": "6.1.1",
   "description": "The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server",
@@ -5,0 +5,0 @@ "type": "commonjs",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

155942

increased by0.73%

Worsened metrics

Lines of code

3942

decreased by-0.03%

No dependency changes