Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve WebSocket handshake validation #5327

Merged
merged 5 commits into from
Apr 27, 2018
Merged

Improve WebSocket handshake validation #5327

merged 5 commits into from
Apr 27, 2018

Conversation

straight-shoota
Copy link
Member

This PR adds the following changes in accordance with RCF 6455]

  • WebSocketHandler verifies that Sec-WebSocket-Key is present (previously this unchecked fetch resulted in a KeyError) and fails with 400 Bad Request if not
  • WebSocketHandler verifies that Sec-WebSocket-Version is present and equals 13 and fails with 426 Upgrade Required if not
  • WebSocket::Protocol verifies that Sec-WebSocket-Accept is present and contains the correct challenge response

luislavena
luislavena reviewed Nov 28, 2017
View reviewed changes
src/http/web_socket/protocol.cr
@@ -285,4 +292,12 @@ class HTTP::WebSocket::Protocol

raise ArgumentError.new("No host or path specified which are required.")
end

def self.key_challenge(key)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assume this is public because is used above (Protocol.key_challenge). In that case, perhaps will be better add a :nodoc: marker to avoid this showing up in the documentation?

Thank you.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this needs to be accessible from WebSocketHandler.
The entire Protocol class is just internal implementation and not documented.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, missed that from the PR diff, thank you for your response!

@straight-shoota
Copy link
Member Author

Could this get a review from @ysbaddaden?

asterite
asterite requested changes Jan 2, 2018
View reviewed changes
src/http/server/handlers/websocket_handler.cr Outdated
response = context.response

version = context.request.headers["Sec-WebSocket-Version"]?
unless version == WebSocket::Protocol::VERSION.to_s
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's have WebSocket::Protocol::VERSION_STRING too, or something like that. I'd like to avoid a to_s call for each socket upgrade.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch 👍 It's only used as a string anyway, so I'll just change the datatype of the constant.

@straight-shoota
Copy link
Member Author

@asterite Care to give this a ✔️ ?

@sdogruyol sdogruyol merged commit d3be42e into crystal-lang:master Apr 27, 2018
@sdogruyol sdogruyol added this to the Next milestone Apr 27, 2018
@straight-shoota straight-shoota deleted the jm-fix-websocket-key branch April 27, 2018 09:06
@Sija
Copy link
Contributor

Sija commented Apr 27, 2018

It seems that this PR wasn't rebased onto master after merging #5776, causing CI to fail (see #6007 (comment) -> https://travis-ci.org/crystal-lang/crystal/jobs/372022339#L520-L527). Needs hotfix.

@bcardiff
Copy link
Member

I think the commit should be rollbacked and reopen the PR. I just reach the issue while branching master.

sdogruyol added a commit that referenced this pull request Apr 27, 2018
@sdogruyol
Revert "Improve WebSocket handshake validation (#5327)"
525397a 
This reverts commit d3be42e.
@sdogruyol sdogruyol mentioned this pull request Apr 27, 2018
Merged
sdogruyol added a commit that referenced this pull request Apr 27, 2018
@sdogruyol
Revert "Improve WebSocket handshake validation (#5327)" (#6020)
d8e765e 
This reverts commit d3be42e.
@sdogruyol
Copy link
Member

Reverted the PR, master is ✔️ @straight-shoota can you reopen the PR?

@straight-shoota straight-shoota restored the jm-fix-websocket-key branch April 28, 2018 12:15
@straight-shoota straight-shoota mentioned this pull request Apr 28, 2018
Merged
@straight-shoota
Copy link
Member Author

I don't think you can reopen a merged PR. That'd be awkward.

It's #6027 now.

chris-huxtable pushed a commit to chris-huxtable/crystal that referenced this pull request Jun 6, 2018
@straight-shoota @chris-huxtable
Improve WebSocket handshake validation (crystal-lang#5327)
7504580
chris-huxtable pushed a commit to chris-huxtable/crystal that referenced this pull request Jun 6, 2018
@sdogruyol @chris-huxtable
Revert "Improve WebSocket handshake validation (crystal-lang#5327)" (c…
aebe264 
…rystal-lang#6020)

This reverts commit d3be42e.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luislavena luislavena luislavena left review comments

@asterite asterite asterite requested changes

@RX14 RX14 RX14 approved these changes

@sdogruyol sdogruyol sdogruyol approved these changes

Assignees
No one assigned
Labels
kind:refactor topic:stdlib
Projects
None yet
Milestone
0.25.0
Development

Successfully merging this pull request may close these issues.
7 participants
@straight-shoota @Sija @bcardiff @sdogruyol @luislavena @asterite @RX14