Skip to content

Reject invalid "Sec-WebSocket-Key" headers from clients#360

Merged
nhooyr merged 5 commits intocoder:devfrom
Emyrk:emyrk/Sec-WebSocket-Key
Oct 19, 2023
Merged

Reject invalid "Sec-WebSocket-Key" headers from clients#360
nhooyr merged 5 commits intocoder:devfrom
Emyrk:emyrk/Sec-WebSocket-Key

Conversation

@Emyrk
Copy link
Copy Markdown
Member

@Emyrk Emyrk commented Dec 20, 2022

Client "Sec-WebSocket-Key" should be a valid 16 byte base64 encoded nonce. If the header is not valid, the server should reject the client.

@Emyrk Emyrk requested a review from nhooyr as a code owner December 20, 2022 20:17
@Emyrk
Copy link
Copy Markdown
Member Author

Emyrk commented Dec 20, 2022

@nhooyr this was brought up by a security consultant. Would be great to get this in so we do not need to handle this at a layer above the websocket library.

@dprotaso dprotaso mentioned this pull request May 11, 2023
Closed
@nhooyr nhooyr added this to the v1.8.8 milestone Oct 13, 2023
@nhooyr nhooyr changed the base branch from master to dev October 14, 2023 13:15
nhooyr
nhooyr reviewed Oct 14, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@nhooyr nhooyr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will get this in for v1.8.8. But I need to mention that it was entirely intentional on my end as it's a useless check mandated by the RFC. This isn't a security issue whatsoever and so I decided to ignore the RFC here and not waste CPU cycles on checking. But I can understand that as this library gets more usage it's important to stick to the letter of the RFC to satisfy consultants and process.

Also for anyone testing their websocket implementation against my own, it's good to error here as other libraries may not be flexible.

@nhooyr
Copy link
Copy Markdown
Contributor

nhooyr commented Oct 14, 2023

Will fix the merge conflicts myself.

Emyrk and others added 5 commits October 18, 2023 21:30
@nhooyr nhooyr merged commit 10137fa into coder:dev Oct 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nhooyr nhooyr nhooyr approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.8.8

Development

Successfully merging this pull request may close these issues.

2 participants

@Emyrk @nhooyr