From 729a4653073fa8dd020561113513bfa2e2119415 Mon Sep 17 00:00:00 2001 From: James Coglan Date: Fri, 24 May 2019 13:59:25 +0100 Subject: [PATCH 1/8] Switch license to Apache 2.0. --- LICENSE.md | 26 +++++++++----------------- package.json | 2 +- 2 files changed, 10 insertions(+), 18 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index 24bc613..5861b5c 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,20 +1,12 @@ -# The MIT License +Copyright 2014-2017 James Coglan -Copyright (c) 2014-2017 James Coglan +Licensed under the Apache License, Version 2.0 (the "License"); you may not use +this file except in compliance with the License. You may obtain a copy of the +License at -Permission is hereby granted, free of charge, to any person obtaining a copy of -this software and associated documentation files (the 'Software'), to deal in -the Software without restriction, including without limitation the rights to -use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -the Software, and to permit persons to whom the Software is furnished to do so, -subject to the following conditions: + http://www.apache.org/licenses/LICENSE-2.0 -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +Unless required by applicable law or agreed to in writing, software distributed +under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. See the License for the +specific language governing permissions and limitations under the License. diff --git a/package.json b/package.json index 5d96461..a556112 100644 --- a/package.json +++ b/package.json @@ -3,7 +3,7 @@ , "homepage" : "http://github.com/faye/websocket-extensions-node" , "author" : "James Coglan (http://jcoglan.com/)" , "keywords" : ["websocket"] -, "license" : "MIT" +, "license" : "Apache-2.0" , "version" : "0.1.3" , "engines" : { "node": ">=0.8.0" } From 0b620834cc1e1f2eace1d55ab17f71d90d88271d Mon Sep 17 00:00:00 2001 From: James Coglan Date: Fri, 24 May 2019 14:05:57 +0100 Subject: [PATCH 2/8] Update Travis target versions. --- .travis.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.travis.yml b/.travis.yml index e8929a4..a58d749 100644 --- a/.travis.yml +++ b/.travis.yml @@ -11,6 +11,9 @@ node_js: - "7" - "8" - "9" + - "10" + - "11" + - "12" before_install: - '[ "${TRAVIS_NODE_VERSION}" = "0.8" ] && npm install -g npm@~1.4.0 || true' From 2d211f3705d52d9efb4f01daf5a253adf828592e Mon Sep 17 00:00:00 2001 From: James Coglan Date: Wed, 29 May 2019 15:38:13 +0100 Subject: [PATCH 3/8] Change markdown formatting of docs. --- CHANGELOG.md | 16 ++++++++-------- README.md | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb40881..3a0a020 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,22 +1,22 @@ ### 0.1.3 / 2017-11-11 -* Accept extension names and parameters including uppercase letters -* Handle extension names that clash with `Object.prototype` properties +- Accept extension names and parameters including uppercase letters +- Handle extension names that clash with `Object.prototype` properties ### 0.1.2 / 2017-09-10 -* Catch synchronous exceptions thrown when calling an extension -* Fix race condition caused when a message is pushed after a cell has stopped +- Catch synchronous exceptions thrown when calling an extension +- Fix race condition caused when a message is pushed after a cell has stopped due to an error -* Fix failure of `close()` to return if a message that's queued after one that +- Fix failure of `close()` to return if a message that's queued after one that produces an error never finishes being processed ### 0.1.1 / 2015-02-19 -* Prevent sessions being closed before they have finished processing messages -* Add a callback to `Extensions.close()` so the caller can tell when it's safe +- Prevent sessions being closed before they have finished processing messages +- Add a callback to `Extensions.close()` so the caller can tell when it's safe to close the socket ### 0.1.0 / 2014-12-12 -* Initial release +- Initial release diff --git a/README.md b/README.md index a52b2f0..3ce97fc 100644 --- a/README.md +++ b/README.md @@ -327,5 +327,5 @@ the session to release any resources it's using. ## Examples -* Consumer: [websocket-driver](https://github.com/faye/websocket-driver-node) -* Provider: [permessage-deflate](https://github.com/faye/permessage-deflate-node) +- Consumer: [websocket-driver](https://github.com/faye/websocket-driver-node) +- Provider: [permessage-deflate](https://github.com/faye/permessage-deflate-node) From f6c50aba0c20ff45b0f87cea33babec1217ec3f5 Mon Sep 17 00:00:00 2001 From: James Coglan Date: Mon, 10 Jun 2019 12:25:53 +0100 Subject: [PATCH 4/8] Let npm reformat package.json --- .gitignore | 1 + package.json | 49 ++++++++++++++++++++++++++++--------------------- 2 files changed, 29 insertions(+), 21 deletions(-) diff --git a/.gitignore b/.gitignore index 3c3629e..d5f19d8 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ node_modules +package-lock.json diff --git a/package.json b/package.json index a556112..7ec6f19 100644 --- a/package.json +++ b/package.json @@ -1,22 +1,29 @@ -{ "name" : "websocket-extensions" -, "description" : "Generic extension manager for WebSocket connections" -, "homepage" : "http://github.com/faye/websocket-extensions-node" -, "author" : "James Coglan (http://jcoglan.com/)" -, "keywords" : ["websocket"] -, "license" : "Apache-2.0" - -, "version" : "0.1.3" -, "engines" : { "node": ">=0.8.0" } -, "files" : ["lib"] -, "main" : "./lib/websocket_extensions" - -, "devDependencies" : { "jstest": "*" } - -, "scripts" : { "test": "jstest spec/runner.js" } - -, "repository" : { "type" : "git" - , "url" : "git://github.com/faye/websocket-extensions-node.git" - } - -, "bugs" : "http://github.com/faye/websocket-extensions-node/issues" +{ + "name": "websocket-extensions", + "description": "Generic extension manager for WebSocket connections", + "homepage": "http://github.com/faye/websocket-extensions-node", + "author": "James Coglan (http://jcoglan.com/)", + "keywords": [ + "websocket" + ], + "license": "Apache-2.0", + "version": "0.1.3", + "engines": { + "node": ">=0.8.0" + }, + "files": [ + "lib" + ], + "main": "./lib/websocket_extensions", + "devDependencies": { + "jstest": "*" + }, + "scripts": { + "test": "jstest spec/runner.js" + }, + "repository": { + "type": "git", + "url": "git://github.com/faye/websocket-extensions-node.git" + }, + "bugs": "http://github.com/faye/websocket-extensions-node/issues" } From 44a677a9c0631daed0b0f4a4b68c095b624183b8 Mon Sep 17 00:00:00 2001 From: James Coglan Date: Tue, 11 Jun 2019 15:54:09 +0100 Subject: [PATCH 5/8] Formatting change: {...} should have spaces inside the braces --- README.md | 10 ++--- lib/parser.js | 2 +- lib/pipeline/README.md | 10 ++--- lib/pipeline/functor.js | 2 +- lib/pipeline/index.js | 4 +- lib/websocket_extensions.js | 2 +- spec/parser_spec.js | 38 ++++++++--------- spec/websocket_extensions_spec.js | 68 +++++++++++++++---------------- 8 files changed, 68 insertions(+), 68 deletions(-) diff --git a/README.md b/README.md index 3ce97fc..68694ea 100644 --- a/README.md +++ b/README.md @@ -234,8 +234,8 @@ then the `permessage-deflate` extension will receive the call: ```js ext.createServerSession([ - {server_no_context_takeover: true, server_max_window_bits: 8}, - {server_max_window_bits: 15} + { server_no_context_takeover: true, server_max_window_bits: 8 }, + { server_max_window_bits: 15 } ]); ``` @@ -251,8 +251,8 @@ implement the following methods, as well as the *Session* API listed below. ```js clientSession.generateOffer() // e.g. -> [ -// {server_no_context_takeover: true, server_max_window_bits: 8}, -// {server_max_window_bits: 15} +// { server_no_context_takeover: true, server_max_window_bits: 8 }, +// { server_max_window_bits: 15 } // ] ``` @@ -277,7 +277,7 @@ must implement the following methods, as well as the *Session* API listed below. ```js serverSession.generateResponse() -// e.g. -> {server_max_window_bits: 8} +// e.g. -> { server_max_window_bits: 8 } ``` This returns the set of parameters the server session wants to send in its diff --git a/lib/parser.js b/lib/parser.js index 40a9ae0..b9e5e3e 100644 --- a/lib/parser.js +++ b/lib/parser.js @@ -83,7 +83,7 @@ Offers.prototype.push = function(name, params) { this._byName[name] = []; this._byName[name].push(params); - this._inOrder.push({name: name, params: params}); + this._inOrder.push({ name: name, params: params }); }; Offers.prototype.eachOffer = function(callback, context) { diff --git a/lib/pipeline/README.md b/lib/pipeline/README.md index ec76a9c..322a9c5 100644 --- a/lib/pipeline/README.md +++ b/lib/pipeline/README.md @@ -124,11 +124,11 @@ var crypto = require('crypto'), large = crypto.randomBytes(1 << 14), small = new Buffer('hi'); -deflate.outgoing({data: large}, function() { +deflate.outgoing({ data: large }, function() { console.log(1, 'large'); }); -deflate.outgoing({data: small}, function() { +deflate.outgoing({ data: small }, function() { console.log(2, 'small'); }); @@ -205,7 +205,7 @@ order is preserved: ```js var stream = require('stream'), - session = new stream.Transform({objectMode: true}); + session = new stream.Transform({ objectMode: true }); session._transform = function(message, _, callback) { var self = this; @@ -276,11 +276,11 @@ above: ```js var functor = new Functor(deflate, 'outgoing'); -functor.call({data: large}, function() { +functor.call({ data: large }, function() { console.log(1, 'large'); }); -functor.call({data: small}, function() { +functor.call({ data: small }, function() { console.log(2, 'small'); }); diff --git a/lib/pipeline/functor.js b/lib/pipeline/functor.js index f6c5f3b..fadb49a 100644 --- a/lib/pipeline/functor.js +++ b/lib/pipeline/functor.js @@ -15,7 +15,7 @@ Functor.QUEUE_SIZE = 8; Functor.prototype.call = function(error, message, callback, context) { if (this._stopped) return; - var record = {error: error, message: message, callback: callback, context: context, done: false}, + var record = { error: error, message: message, callback: callback, context: context, done: false }, called = false, self = this; diff --git a/lib/pipeline/index.js b/lib/pipeline/index.js index 169303c..930bbc8 100644 --- a/lib/pipeline/index.js +++ b/lib/pipeline/index.js @@ -5,7 +5,7 @@ var Cell = require('./cell'), var Pipeline = function(sessions) { this._cells = sessions.map(function(session) { return new Cell(session) }); - this._stopped = {incoming: false, outgoing: false}; + this._stopped = { incoming: false, outgoing: false }; }; Pipeline.prototype.processIncomingMessage = function(message, callback, context) { @@ -19,7 +19,7 @@ Pipeline.prototype.processOutgoingMessage = function(message, callback, context) }; Pipeline.prototype.close = function(callback, context) { - this._stopped = {incoming: true, outgoing: true}; + this._stopped = { incoming: true, outgoing: true }; var closed = this._cells.map(function(a) { return a.close() }); if (callback) diff --git a/lib/websocket_extensions.js b/lib/websocket_extensions.js index 12a1622..48adad8 100644 --- a/lib/websocket_extensions.js +++ b/lib/websocket_extensions.js @@ -112,7 +112,7 @@ var instance = { }, validFrameRsv: function(frame) { - var allowed = {rsv1: false, rsv2: false, rsv3: false}, + var allowed = { rsv1: false, rsv2: false, rsv3: false }, ext; if (Extensions.MESSAGE_OPCODES.indexOf(frame.opcode) >= 0) { diff --git a/spec/parser_spec.js b/spec/parser_spec.js index aa8f9e9..4f85aff 100644 --- a/spec/parser_spec.js +++ b/spec/parser_spec.js @@ -20,56 +20,56 @@ test.describe("Parser", function() { with(this) { }}) it("parses one offer with no params", function() { with(this) { - assertEqual( [{name: "a", params: {}}], + assertEqual( [{ name: "a", params: {}}], parse('a') ) }}) it("parses two offers with no params", function() { with(this) { - assertEqual( [{name: "a", params: {}}, {name: "b", params: {}}], + assertEqual( [{ name: "a", params: {}}, { name: "b", params: {}}], parse('a, b') ) }}) it("parses a duplicate offer name", function() { with(this) { - assertEqual( [{name: "a", params: {}}, {name: "a", params: {}}], + assertEqual( [{ name: "a", params: {}}, { name: "a", params: {}}], parse('a, a') ) }}) it("parses a flag", function() { with(this) { - assertEqual( [{name: "a", params: {b: true}}], + assertEqual( [{ name: "a", params: { b: true }}], parse('a; b') ) }}) it("parses an unquoted param", function() { with(this) { - assertEqual( [{name: "a", params: {b: 1}}], + assertEqual( [{ name: "a", params: { b: 1 }}], parse('a; b=1') ) }}) it("parses a quoted param", function() { with(this) { - assertEqual( [{name: "a", params: {b: 'hi, "there'}}], + assertEqual( [{ name: "a", params: { b: 'hi, "there' }}], parse('a; b="hi, \\"there"') ) }}) it("parses multiple params", function() { with(this) { - assertEqual( [{name: "a", params: {b: true, c: 1, d: 'hi'}}], + assertEqual( [{ name: "a", params: { b: true, c: 1, d: 'hi' }}], parse('a; b; c=1; d="hi"') ) }}) it("parses duplicate params", function() { with(this) { - assertEqual( [{name: "a", params: {b: [true, 'hi'], c: 1}}], + assertEqual( [{ name: "a", params: { b: [true, 'hi'], c: 1 }}], parse('a; b; c=1; b="hi"') ) }}) it("parses multiple complex offers", function() { with(this) { - assertEqual( [{name: "a", params: {b: 1}}, - {name: "c", params: {}}, - {name: "b", params: {d: true}}, - {name: "c", params: {e: ['hi, there', true]}}, - {name: "a", params: {b: true}}], + assertEqual( [{ name: "a", params: { b: 1 }}, + { name: "c", params: {}}, + { name: "b", params: { d: true }}, + { name: "c", params: { e: ['hi, there', true] }}, + { name: "a", params: { b: true }}], parse('a; b=1, c, b; d, c; e="hi, there"; e, a; b') ) }}) it("parses an extension name that shadows an Object property", function() { with(this) { - assertEqual( [{name: "hasOwnProperty", params: {}}], + assertEqual( [{ name: "hasOwnProperty", params: {}}], parse('hasOwnProperty') ) }}) @@ -86,23 +86,23 @@ test.describe("Parser", function() { with(this) { }}) it("serializes a flag", function() { with(this) { - assertEqual( 'a; b', Parser.serializeParams('a', {b: true}) ) + assertEqual( 'a; b', Parser.serializeParams('a', { b: true }) ) }}) it("serializes an unquoted param", function() { with(this) { - assertEqual( 'a; b=42', Parser.serializeParams('a', {b: '42'}) ) + assertEqual( 'a; b=42', Parser.serializeParams('a', { b: '42' }) ) }}) it("serializes a quoted param", function() { with(this) { - assertEqual( 'a; b="hi, there"', Parser.serializeParams('a', {b: 'hi, there'}) ) + assertEqual( 'a; b="hi, there"', Parser.serializeParams('a', { b: 'hi, there' }) ) }}) it("serializes multiple params", function() { with(this) { - assertEqual( 'a; b; c=1; d=hi', Parser.serializeParams('a', {b: true, c: 1, d: 'hi'}) ) + assertEqual( 'a; b; c=1; d=hi', Parser.serializeParams('a', { b: true, c: 1, d: 'hi' }) ) }}) it("serializes duplicate params", function() { with(this) { - assertEqual( 'a; b; b=hi; c=1', Parser.serializeParams('a', {b: [true, 'hi'], c: 1}) ) + assertEqual( 'a; b; b=hi; c=1', Parser.serializeParams('a', { b: [true, 'hi'], c: 1 }) ) }}) }}) }}) diff --git a/spec/websocket_extensions_spec.js b/spec/websocket_extensions_spec.js index 9988f47..8c6d873 100644 --- a/spec/websocket_extensions_spec.js +++ b/spec/websocket_extensions_spec.js @@ -6,7 +6,7 @@ test.describe("Extensions", function() { with(this) { before(function() { with(this) { this.extensions = new Extensions() - this.ext = {name: "deflate", type: "permessage", rsv1: true, rsv2: false, rsv3: false} + this.ext = { name: "deflate", type: "permessage", rsv1: true, rsv2: false, rsv3: false } this.session = {} }}) @@ -38,20 +38,20 @@ test.describe("Extensions", function() { with(this) { describe("client sessions", function() { with(this) { before(function() { with(this) { - this.offer = {mode: "compress"} + this.offer = { mode: "compress" } stub(ext, "createClientSession").returns(session) stub(session, "generateOffer").returns(offer) extensions.add(ext) - this.conflict = {name: "tar", type: "permessage", rsv1: true, rsv2: false, rsv3: false} + this.conflict = { name: "tar", type: "permessage", rsv1: true, rsv2: false, rsv3: false } this.conflictSession = {} stub(conflict, "createClientSession").returns(conflictSession) - stub(conflictSession, "generateOffer").returns({gzip: true}) + stub(conflictSession, "generateOffer").returns({ gzip: true }) - this.nonconflict = {name: "reverse", type: "permessage", rsv1: false, rsv2: true, rsv3: false} + this.nonconflict = { name: "reverse", type: "permessage", rsv1: false, rsv2: true, rsv3: false } this.nonconflictSession = {} stub(nonconflict, "createClientSession").returns(nonconflictSession) - stub(nonconflictSession, "generateOffer").returns({utf8: true}) + stub(nonconflictSession, "generateOffer").returns({ utf8: true }) stub(session, "activate").returns(true) stub(conflictSession, "activate").returns(true) @@ -133,18 +133,18 @@ test.describe("Extensions", function() { with(this) { }}) it("activates one session with a boolean param", function() { with(this) { - expect(session, "activate").given({gzip: true}).exactly(1).returning(true) + expect(session, "activate").given({ gzip: true }).exactly(1).returning(true) extensions.activate("deflate; gzip") }}) it("activates one session with a string param", function() { with(this) { - expect(session, "activate").given({mode: "compress"}).exactly(1).returning(true) + expect(session, "activate").given({ mode: "compress" }).exactly(1).returning(true) extensions.activate("deflate; mode=compress") }}) it("activates multiple sessions", function() { with(this) { - expect(session, "activate").given({a: true}).exactly(1).returning(true) - expect(nonconflictSession, "activate").given({b: true}).exactly(1).returning(true) + expect(session, "activate").given({ a: true }).exactly(1).returning(true) + expect(nonconflictSession, "activate").given({ b: true }).exactly(1).returning(true) extensions.activate("deflate; a, reverse; b") }}) @@ -180,7 +180,7 @@ test.describe("Extensions", function() { with(this) { it("processes messages in the reverse order given in the server's response", function() { with(this) { extensions.activate("deflate, reverse") - extensions.processIncomingMessage({frames: []}, function(error, message) { + extensions.processIncomingMessage({ frames: [] }, function(error, message) { assertNull( error ) assertEqual( ["reverse", "deflate"], message.frames ) }) @@ -188,9 +188,9 @@ test.describe("Extensions", function() { with(this) { it("yields an error if a session yields an error", function() { with(this) { extensions.activate("deflate") - stub(session, "processIncomingMessage").yields([{message: "ENOENT"}]) + stub(session, "processIncomingMessage").yields([{ message: "ENOENT" }]) - extensions.processIncomingMessage({frames: []}, function(error, message) { + extensions.processIncomingMessage({ frames: [] }, function(error, message) { assertEqual( "deflate: ENOENT", error.message ) assertNull( message ) }) @@ -198,11 +198,11 @@ test.describe("Extensions", function() { with(this) { it("does not call sessions after one has yielded an error", function() { with(this) { extensions.activate("deflate, reverse") - stub(nonconflictSession, "processIncomingMessage").yields([{message: "ENOENT"}]) + stub(nonconflictSession, "processIncomingMessage").yields([{ message: "ENOENT" }]) expect(session, "processIncomingMessage").exactly(0) - extensions.processIncomingMessage({frames: []}, function() {}) + extensions.processIncomingMessage({ frames: [] }, function() {}) }}) }}) @@ -336,11 +336,11 @@ test.describe("Extensions", function() { with(this) { extensions.activate("deflate, reverse") var out = [] - extensions.processOutgoingMessage({frames: []}, function(error, message) { out.push(message) }) - extensions.processOutgoingMessage({frames: [1]}, function(error, message) { out.push(message) }) + extensions.processOutgoingMessage({ frames: [] }, function(error, message) { out.push(message) }) + extensions.processOutgoingMessage({ frames: [1] }, function(error, message) { out.push(message) }) clock.tick(200) - assertEqual( [{frames: ["a", "c"]}, {frames: [1, "b", "d"]}], out ) + assertEqual( [{ frames: ["a", "c"] }, { frames: [1, "b", "d"] }], out ) }}) it("defers closing until the extension has finished processing", function() { with(this) { @@ -349,7 +349,7 @@ test.describe("Extensions", function() { with(this) { var closed = false, notified = false stub(session, "close", function() { closed = true }) - extensions.processOutgoingMessage({frames: []}, function() {}) + extensions.processOutgoingMessage({ frames: [] }, function() {}) extensions.close(function() { notified = true }) clock.tick(50) @@ -366,7 +366,7 @@ test.describe("Extensions", function() { with(this) { stub(session, "close", function() { closed[0] = true }) stub(nonconflictSession, "close", function() { closed[1] = true }) - extensions.processOutgoingMessage({frames: []}, function() {}); + extensions.processOutgoingMessage({ frames: [] }, function() {}); extensions.close(function() { notified = true }) clock.tick(50) @@ -384,7 +384,7 @@ test.describe("Extensions", function() { with(this) { extensions.activate("deflate") stub(session, "close", function() { closed = true }) - extensions.processOutgoingMessage({frames: []}, function() {}) + extensions.processOutgoingMessage({ frames: [] }, function() {}) extensions.close() clock.tick(100) @@ -397,7 +397,7 @@ test.describe("Extensions", function() { with(this) { it("processes messages in the order given in the server's response", function() { with(this) { extensions.activate("deflate, reverse") - extensions.processOutgoingMessage({frames: []}, function(error, message) { + extensions.processOutgoingMessage({ frames: [] }, function(error, message) { assertNull( error ) assertEqual( ["deflate", "reverse"], message.frames ) }) @@ -406,7 +406,7 @@ test.describe("Extensions", function() { with(this) { it("processes messages in the server's order, not the client's order", function() { with(this) { extensions.activate("reverse, deflate") - extensions.processOutgoingMessage({frames: []}, function(error, message) { + extensions.processOutgoingMessage({ frames: [] }, function(error, message) { assertNull( error ) assertEqual( ["reverse", "deflate"], message.frames ) }) @@ -414,9 +414,9 @@ test.describe("Extensions", function() { with(this) { it("yields an error if a session yields an error", function() { with(this) { extensions.activate("deflate") - stub(session, "processOutgoingMessage").yields([{message: "ENOENT"}]) + stub(session, "processOutgoingMessage").yields([{ message: "ENOENT" }]) - extensions.processOutgoingMessage({frames: []}, function(error, message) { + extensions.processOutgoingMessage({ frames: [] }, function(error, message) { assertEqual( "deflate: ENOENT", error.message ) assertNull( message ) }) @@ -424,30 +424,30 @@ test.describe("Extensions", function() { with(this) { it("does not call sessions after one has yielded an error", function() { with(this) { extensions.activate("deflate, reverse") - stub(session, "processOutgoingMessage").yields([{message: "ENOENT"}]) + stub(session, "processOutgoingMessage").yields([{ message: "ENOENT" }]) expect(nonconflictSession, "processOutgoingMessage").exactly(0) - extensions.processOutgoingMessage({frames: []}, function() {}) + extensions.processOutgoingMessage({ frames: [] }, function() {}) }}) }}) }}) describe("server sessions", function() { with(this) { before(function() { with(this) { - this.response = {mode: "compress"} + this.response = { mode: "compress" } stub(ext, "createServerSession").returns(session) stub(session, "generateResponse").returns(response) - this.conflict = {name: "tar", type: "permessage", rsv1: true, rsv2: false, rsv3: false} + this.conflict = { name: "tar", type: "permessage", rsv1: true, rsv2: false, rsv3: false } this.conflictSession = {} stub(conflict, "createServerSession").returns(conflictSession) - stub(conflictSession, "generateResponse").returns({gzip: true}) + stub(conflictSession, "generateResponse").returns({ gzip: true }) - this.nonconflict = {name: "reverse", type: "permessage", rsv1: false, rsv2: true, rsv3: false} + this.nonconflict = { name: "reverse", type: "permessage", rsv1: false, rsv2: true, rsv3: false } this.nonconflictSession = {} stub(nonconflict, "createServerSession").returns(nonconflictSession) - stub(nonconflictSession, "generateResponse").returns({utf8: true}) + stub(nonconflictSession, "generateResponse").returns({ utf8: true }) extensions.add(ext) extensions.add(conflict) @@ -456,12 +456,12 @@ test.describe("Extensions", function() { with(this) { describe("generateResponse", function() { with(this) { it("asks the extension for a server session with the offer", function() { with(this) { - expect(ext, "createServerSession").given([{flag: true}]).exactly(1).returning(session) + expect(ext, "createServerSession").given([{ flag: true }]).exactly(1).returning(session) extensions.generateResponse("deflate; flag") }}) it("asks the extension for a server session with multiple offers", function() { with(this) { - expect(ext, "createServerSession").given([{a: true}, {b: true}]).exactly(1).returning(session) + expect(ext, "createServerSession").given([{ a: true }, { b: true }]).exactly(1).returning(session) extensions.generateResponse("deflate; a, deflate; b") }}) From 4a76c75efb1c5d6a2f60550e9501757458d19533 Mon Sep 17 00:00:00 2001 From: James Coglan Date: Thu, 14 May 2020 16:29:08 +0100 Subject: [PATCH 6/8] Add Node versions 13 and 14 on Travis --- .travis.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index a58d749..4a368c0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -14,6 +14,8 @@ node_js: - "10" - "11" - "12" + - "13" + - "14" before_install: - - '[ "${TRAVIS_NODE_VERSION}" = "0.8" ] && npm install -g npm@~1.4.0 || true' + - '[ "${TRAVIS_NODE_VERSION}" != "0.8" ] || npm install -g npm@~1.4.0' From 29496f6838bfadfe5a2f85dff33ed0ba33873237 Mon Sep 17 00:00:00 2001 From: James Coglan Date: Mon, 1 Jun 2020 21:42:07 +0100 Subject: [PATCH 7/8] Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser There is a regular expression denial of service (ReDoS) vulnerability in the parser we use to process the `Sec-WebSocket-Extensions` header. It can be exploited by sending an opening WebSocket handshake to a server containing a header of the form: Sec-WebSocket-Extensions: a;b="\c\c\c\c\c\c\c\c\c\c ... i.e. a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. The parser takes exponential time to reject this header as invalid, and this can be used to exhaust the server's capacity to process requests. This vulnerability has been assigned the identifier CVE-2020-7662 and was reported by Robert McLaughlin. We believe this flaw stems from the grammar specified for this header. [RFC 6455][1] defines the grammar for the header as: Sec-WebSocket-Extensions = extension-list extension-list = 1#extension extension = extension-token *( ";" extension-param ) extension-token = registered-token registered-token = token extension-param = token [ "=" (token | quoted-string) ] It refers to [RFC 2616][2] for the definitions of `token` and `quoted-string`, which are: token = 1* separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT quoted-string = ( <"> *(qdtext | quoted-pair ) <"> ) qdtext = > quoted-pair = "\" CHAR These rely on the `CHAR`, `CTL` and `TEXT` grammars, which are: CHAR = CTL = TEXT = Other relevant definitions to support these: OCTET = LWS = [CRLF] 1*( SP | HT ) CRLF = CR LF HT = LF = CR = SP = To expand some of these terms out and write them as regular expressions: OCTET = [\x00-\xFF] CHAR = [\x00-\x7F] TEXT = [\t \x21-\x7E\x80-\xFF] The allowable bytes for `token` are [\x00-\x7F], except [\x00-\x1F\x7F] (leaving [\x20-\x7E]) and `separators`, which leaves the following set of allowed chars: ! # $ % & ' * + - . ^ _ ` | ~ [0-9] [A-Z] [a-z] `quoted-string` contains a repeated pattern of either `qdtext` or `quoted-pair`. `qdtext` is any `TEXT` byte except <">, and the <"> character is ASCII 34, or 0x22. The character is 0x21. So `qdtext` can be written either positively as: qdtext = [\t !\x23-\x7E\x80-\xFF] or negatively, as: qdtext = [^\x00-\x08\x0A-\x1F\x7F"] We use the negative definition here. The other alternative in the `quoted-string` pattern is: quoted-pair = \\[\x00-\x7F] The problem is that the set of bytes matched by `qdtext` includes <\>, and intersects with the second element of `quoted-pair`. That means the sequence \c can be matched as either two `qdtext` bytes, or as a single `quoted-pair`. When the regex engine fails to find a trailing <"> to close the string, it back-tracks and tries every alternate parse for the string, which doubles with each pair of bytes in the input. To fix the ReDoS flaw we need to rewrite the repeating pattern so that none of its alternate branches can match the same text. For example, we could try dividing the set of bytes [\x00-\xFF] into those that must not follow a <\>, those that may follow a <\>, and those that must be preceded by <\>, and thereby construct a pattern of the form: (A|\?B|\C)* where A, B and C have no characters in common. In our case the three branch patterns would be: A = qdtext - CHAR = [\x80-\xFF] B = qdtext & CHAR = [\t !\x23-\x7E] C = CHAR - qdtext = [\x00-\x08\x0A-\x1F\x7F"] These sets do not intersect, and notice <"> appears in set C so must be preceded by <\>. But we still have a problem: <\> (0x5C) and all the alphabetic characters are in set B, so the pattern \?B can match all these: c \ \c So the sequence \c\c\c... still produces exponential back-tracking. It also fails to parse input like this correctly: Sec-WebSocket-Extensions: a; b="c\", d" Because the grammar allows a single backslash to appear by itself, this is arguably a syntax error where the parameter `b` has value `c\` and then a new extension `d` begins with a <"> appearing where it should not. So the core problem is with the grammar itself: `qdtext` matches a single backslash <\>, and `quoted-pair` matches a pair <\\>. So given a sequence of backslashes there's no canonical parse and the grammar is ambiguous. [RFC 7230][3] remedies this problem and makes the grammar clearer. First, it defines `token` explicitly rather than implicitly: token = 1*tchar tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA And second, it defines `quoted-string` so that backslashes cannot appear on their own: quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE qdtext = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text obs-text = %x80-FF quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) where VCHAR is any printing ASCII character 0x21-0x7E. Notice `qdtext` is just our previous definition but with 5C excluded, so it cannot accept a single backslash. This commit makes this modification to our matching patterns, and thereby removes the ReDoS vector. Technically this means it does not match the grammar of RFC 6455, but we expect this to have little or no practical impact, especially since the one main protocol extension, `permessage-deflate` ([RFC 7692][4]), does not have any string-valued parameters. [1]: https://tools.ietf.org/html/rfc6455#section-9.1 [2]: https://tools.ietf.org/html/rfc2616#section-2.2 [3]: https://tools.ietf.org/html/rfc7230#section-3.2.6 [4]: https://tools.ietf.org/html/rfc7692 --- lib/parser.js | 2 +- spec/parser_spec.js | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/parser.js b/lib/parser.js index b9e5e3e..533767e 100644 --- a/lib/parser.js +++ b/lib/parser.js @@ -2,7 +2,7 @@ var TOKEN = /([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)/, NOTOKEN = /([^!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z])/g, - QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/, + QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/, PARAM = new RegExp(TOKEN.source + '(?:=(?:' + TOKEN.source + '|' + QUOTED.source + '))?'), EXT = new RegExp(TOKEN.source + '(?: *; *' + PARAM.source + ')*', 'g'), EXT_LIST = new RegExp('^' + EXT.source + '(?: *, *' + EXT.source + ')*$'), diff --git a/spec/parser_spec.js b/spec/parser_spec.js index 4f85aff..f424648 100644 --- a/spec/parser_spec.js +++ b/spec/parser_spec.js @@ -78,6 +78,11 @@ test.describe("Parser", function() { with(this) { assertEqual( result.params.hasOwnProperty, true ) }}) + it("rejects a string missing its closing quote", function() { with(this) { + assertThrows(SyntaxError, function() { + parse('foo; bar="fooa\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a') + }) + }}) }}) describe("serializeParams", function() { with(this) { From 5ea0b420804ba6c4219e152b52fd3bdd6d144041 Mon Sep 17 00:00:00 2001 From: James Coglan Date: Tue, 2 Jun 2020 13:18:05 +0100 Subject: [PATCH 8/8] Bump version to 0.1.4 --- CHANGELOG.md | 6 ++++++ LICENSE.md | 2 +- package.json | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a0a020..bb84f5a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +### 0.1.4 / 2020-06-02 + +- Remove a ReDoS vulnerability in the header parser (CVE-2020-7662, reported by + Robert McLaughlin) +- Change license from MIT to Apache 2.0 + ### 0.1.3 / 2017-11-11 - Accept extension names and parameters including uppercase letters diff --git a/LICENSE.md b/LICENSE.md index 5861b5c..3a88e51 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,4 +1,4 @@ -Copyright 2014-2017 James Coglan +Copyright 2014-2020 James Coglan Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the diff --git a/package.json b/package.json index 7ec6f19..e4f2f91 100644 --- a/package.json +++ b/package.json @@ -7,7 +7,7 @@ "websocket" ], "license": "Apache-2.0", - "version": "0.1.3", + "version": "0.1.4", "engines": { "node": ">=0.8.0" },