From 2bb9df827e0acd565dcb4d44a548cfed6446c391 Mon Sep 17 00:00:00 2001 From: GitHub Actions Date: Mon, 16 Mar 2026 21:02:01 +0000 Subject: [PATCH] chore: Update dist --- THIRD-PARTY | 2 +- dist/cleanup/index.js | 125 +++++++++++++++++++++++++++++++++++++----- dist/index.js | 125 +++++++++++++++++++++++++++++++++++++----- 3 files changed, 223 insertions(+), 29 deletions(-) diff --git a/THIRD-PARTY b/THIRD-PARTY index d37ac26..f479ac9 100644 --- a/THIRD-PARTY +++ b/THIRD-PARTY @@ -2893,7 +2893,7 @@ SOFTWARE. The following npm package may be included in this product: - - undici@6.23.0 + - undici@6.24.0 This package contains the following license: diff --git a/dist/cleanup/index.js b/dist/cleanup/index.js index a6fd05a..5c28d64 100644 --- a/dist/cleanup/index.js +++ b/dist/cleanup/index.js @@ -935,6 +935,21 @@ var require_errors = __commonJS({ } [kSecureProxyConnectionError] = true; }; + var kMessageSizeExceededError = /* @__PURE__ */ Symbol.for("undici.error.UND_ERR_WS_MESSAGE_SIZE_EXCEEDED"); + var MessageSizeExceededError = class extends UndiciError { + constructor(message) { + super(message); + this.name = "MessageSizeExceededError"; + this.message = message || "Max decompressed message size exceeded"; + this.code = "UND_ERR_WS_MESSAGE_SIZE_EXCEEDED"; + } + static [Symbol.hasInstance](instance) { + return instance && instance[kMessageSizeExceededError] === true; + } + get [kMessageSizeExceededError]() { + return true; + } + }; module2.exports = { AbortError, HTTPParserError, @@ -958,7 +973,8 @@ var require_errors = __commonJS({ ResponseExceededMaxSizeError, RequestRetryError, ResponseError, - SecureProxyConnectionError + SecureProxyConnectionError, + MessageSizeExceededError }; } }); @@ -1968,6 +1984,9 @@ var require_request = __commonJS({ if (upgrade && typeof upgrade !== "string") { throw new InvalidArgumentError("upgrade must be a string"); } + if (upgrade && !isValidHeaderValue(upgrade)) { + throw new InvalidArgumentError("invalid upgrade header"); + } if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) { throw new InvalidArgumentError("invalid headersTimeout"); } @@ -2200,12 +2219,18 @@ var require_request = __commonJS({ } else { val = `${val}`; } - if (request.host === null && headerName === "host") { + if (headerName === "host") { + if (request.host !== null) { + throw new InvalidArgumentError("duplicate host header"); + } if (typeof val !== "string") { throw new InvalidArgumentError("invalid host header"); } request.host = val; - } else if (request.contentLength === null && headerName === "content-length") { + } else if (headerName === "content-length") { + if (request.contentLength !== null) { + throw new InvalidArgumentError("duplicate content-length header"); + } request.contentLength = parseInt(val, 10); if (!Number.isFinite(request.contentLength)) { throw new InvalidArgumentError("invalid content-length header"); @@ -16977,13 +17002,17 @@ var require_util7 = __commonJS({ return extensionList; } function isValidClientWindowBits(value) { + if (value.length === 0) { + return false; + } for (let i = 0; i < value.length; i++) { const byte = value.charCodeAt(i); if (byte < 48 || byte > 57) { return false; } } - return true; + const num = Number.parseInt(value, 10); + return num >= 8 && num <= 15; } var hasIntl = typeof process.versions.icu === "string"; var fatalDecoder = hasIntl ? new TextDecoder("utf-8", { fatal: true }) : void 0; @@ -17282,18 +17311,35 @@ var require_permessage_deflate = __commonJS({ "use strict"; var { createInflateRaw, Z_DEFAULT_WINDOWBITS } = require("node:zlib"); var { isValidClientWindowBits } = require_util7(); + var { MessageSizeExceededError } = require_errors(); var tail = Buffer.from([0, 0, 255, 255]); var kBuffer = /* @__PURE__ */ Symbol("kBuffer"); var kLength = /* @__PURE__ */ Symbol("kLength"); + var kDefaultMaxDecompressedSize = 4 * 1024 * 1024; var PerMessageDeflate = class { /** @type {import('node:zlib').InflateRaw} */ #inflate; #options = {}; - constructor(extensions) { + /** @type {number} */ + #maxDecompressedSize; + /** @type {boolean} */ + #aborted = false; + /** @type {Function|null} */ + #currentCallback = null; + /** + * @param {Map} extensions + * @param {{ maxDecompressedMessageSize?: number }} [options] + */ + constructor(extensions, options = {}) { this.#options.serverNoContextTakeover = extensions.has("server_no_context_takeover"); this.#options.serverMaxWindowBits = extensions.get("server_max_window_bits"); + this.#maxDecompressedSize = options.maxDecompressedMessageSize ?? kDefaultMaxDecompressedSize; } decompress(chunk, fin, callback) { + if (this.#aborted) { + callback(new MessageSizeExceededError()); + return; + } if (!this.#inflate) { let windowBits = Z_DEFAULT_WINDOWBITS; if (this.#options.serverMaxWindowBits) { @@ -17303,26 +17349,51 @@ var require_permessage_deflate = __commonJS({ } windowBits = Number.parseInt(this.#options.serverMaxWindowBits); } - this.#inflate = createInflateRaw({ windowBits }); + try { + this.#inflate = createInflateRaw({ windowBits }); + } catch (err) { + callback(err); + return; + } this.#inflate[kBuffer] = []; this.#inflate[kLength] = 0; this.#inflate.on("data", (data) => { - this.#inflate[kBuffer].push(data); + if (this.#aborted) { + return; + } this.#inflate[kLength] += data.length; + if (this.#inflate[kLength] > this.#maxDecompressedSize) { + this.#aborted = true; + this.#inflate.removeAllListeners(); + this.#inflate.destroy(); + this.#inflate = null; + if (this.#currentCallback) { + const cb = this.#currentCallback; + this.#currentCallback = null; + cb(new MessageSizeExceededError()); + } + return; + } + this.#inflate[kBuffer].push(data); }); this.#inflate.on("error", (err) => { this.#inflate = null; callback(err); }); } + this.#currentCallback = callback; this.#inflate.write(chunk); if (fin) { this.#inflate.write(tail); } this.#inflate.flush(() => { + if (this.#aborted || !this.#inflate) { + return; + } const full = Buffer.concat(this.#inflate[kBuffer], this.#inflate[kLength]); this.#inflate[kBuffer].length = 0; this.#inflate[kLength] = 0; + this.#currentCallback = null; callback(null, full); }); } @@ -17362,12 +17433,20 @@ var require_receiver = __commonJS({ #fragments = []; /** @type {Map} */ #extensions; - constructor(ws, extensions) { + /** @type {{ maxDecompressedMessageSize?: number }} */ + #options; + /** + * @param {import('./websocket').WebSocket} ws + * @param {Map|null} extensions + * @param {{ maxDecompressedMessageSize?: number }} [options] + */ + constructor(ws, extensions, options = {}) { super(); this.ws = ws; this.#extensions = extensions == null ? /* @__PURE__ */ new Map() : extensions; + this.#options = options; if (this.#extensions.has("permessage-deflate")) { - this.#extensions.set("permessage-deflate", new PerMessageDeflate(extensions)); + this.#extensions.set("permessage-deflate", new PerMessageDeflate(extensions, options)); } } /** @@ -17465,12 +17544,12 @@ var require_receiver = __commonJS({ } const buffer = this.consume(8); const upper = buffer.readUInt32BE(0); - if (upper > 2 ** 31 - 1) { + const lower = buffer.readUInt32BE(4); + if (upper !== 0 || lower > 2 ** 31 - 1) { failWebsocketConnection(this.ws, "Received payload length > 2^31 bytes."); return; } - const lower = buffer.readUInt32BE(4); - this.#info.payloadLength = (upper << 8) + lower; + this.#info.payloadLength = lower; this.#state = parserStates.READ_DATA; } else if (this.#state === parserStates.READ_DATA) { if (this.#byteOffset < this.#info.payloadLength) { @@ -17492,7 +17571,7 @@ var require_receiver = __commonJS({ } else { this.#extensions.get("permessage-deflate").decompress(body, this.#info.fin, (error, data) => { if (error) { - closeWebSocketConnection(this.ws, 1007, error.message, error.message.length); + failWebsocketConnection(this.ws, error.message); return; } this.#fragments.push(data); @@ -17761,6 +17840,8 @@ var require_websocket = __commonJS({ #extensions = ""; /** @type {SendQueue} */ #sendQueue; + /** @type {{ maxDecompressedMessageSize?: number }} */ + #options; /** * @param {string} url * @param {string|string[]} protocols @@ -17804,6 +17885,9 @@ var require_websocket = __commonJS({ throw new DOMException("Invalid Sec-WebSocket-Protocol value", "SyntaxError"); } this[kWebSocketURL] = new URL(urlRecord.href); + this.#options = { + maxDecompressedMessageSize: options.maxDecompressedMessageSize + }; const client = environmentSettingsObject.settingsObject; this[kController] = establishWebSocketConnection( urlRecord, @@ -17987,7 +18071,7 @@ var require_websocket = __commonJS({ */ #onConnectionEstablished(response, parsedExtensions) { this[kResponse] = response; - const parser = new ByteParser(this, parsedExtensions); + const parser = new ByteParser(this, parsedExtensions, this.#options); parser.on("drain", onParserDrain); parser.on("error", onParserError.bind(this)); response.socket.ws = this; @@ -18062,6 +18146,19 @@ var require_websocket = __commonJS({ { key: "headers", converter: webidl.nullableConverter(webidl.converters.HeadersInit) + }, + { + key: "maxDecompressedMessageSize", + converter: webidl.nullableConverter((V) => { + V = webidl.converters["unsigned long long"](V); + if (V <= 0) { + throw webidl.errors.exception({ + header: "WebSocket constructor", + message: "maxDecompressedMessageSize must be greater than 0" + }); + } + return V; + }) } ]); webidl.converters["DOMString or sequence or WebSocketInit"] = function(V) { diff --git a/dist/index.js b/dist/index.js index 6c8ab3f..3513d10 100644 --- a/dist/index.js +++ b/dist/index.js @@ -938,6 +938,21 @@ var require_errors = __commonJS({ } [kSecureProxyConnectionError] = true; }; + var kMessageSizeExceededError = /* @__PURE__ */ Symbol.for("undici.error.UND_ERR_WS_MESSAGE_SIZE_EXCEEDED"); + var MessageSizeExceededError = class extends UndiciError { + constructor(message) { + super(message); + this.name = "MessageSizeExceededError"; + this.message = message || "Max decompressed message size exceeded"; + this.code = "UND_ERR_WS_MESSAGE_SIZE_EXCEEDED"; + } + static [Symbol.hasInstance](instance) { + return instance && instance[kMessageSizeExceededError] === true; + } + get [kMessageSizeExceededError]() { + return true; + } + }; module2.exports = { AbortError, HTTPParserError, @@ -961,7 +976,8 @@ var require_errors = __commonJS({ ResponseExceededMaxSizeError, RequestRetryError, ResponseError, - SecureProxyConnectionError + SecureProxyConnectionError, + MessageSizeExceededError }; } }); @@ -1971,6 +1987,9 @@ var require_request = __commonJS({ if (upgrade && typeof upgrade !== "string") { throw new InvalidArgumentError("upgrade must be a string"); } + if (upgrade && !isValidHeaderValue(upgrade)) { + throw new InvalidArgumentError("invalid upgrade header"); + } if (headersTimeout != null && (!Number.isFinite(headersTimeout) || headersTimeout < 0)) { throw new InvalidArgumentError("invalid headersTimeout"); } @@ -2203,12 +2222,18 @@ var require_request = __commonJS({ } else { val = `${val}`; } - if (request.host === null && headerName === "host") { + if (headerName === "host") { + if (request.host !== null) { + throw new InvalidArgumentError("duplicate host header"); + } if (typeof val !== "string") { throw new InvalidArgumentError("invalid host header"); } request.host = val; - } else if (request.contentLength === null && headerName === "content-length") { + } else if (headerName === "content-length") { + if (request.contentLength !== null) { + throw new InvalidArgumentError("duplicate content-length header"); + } request.contentLength = parseInt(val, 10); if (!Number.isFinite(request.contentLength)) { throw new InvalidArgumentError("invalid content-length header"); @@ -16980,13 +17005,17 @@ var require_util7 = __commonJS({ return extensionList; } function isValidClientWindowBits(value) { + if (value.length === 0) { + return false; + } for (let i5 = 0; i5 < value.length; i5++) { const byte = value.charCodeAt(i5); if (byte < 48 || byte > 57) { return false; } } - return true; + const num = Number.parseInt(value, 10); + return num >= 8 && num <= 15; } var hasIntl = typeof process.versions.icu === "string"; var fatalDecoder = hasIntl ? new TextDecoder("utf-8", { fatal: true }) : void 0; @@ -17285,18 +17314,35 @@ var require_permessage_deflate = __commonJS({ "use strict"; var { createInflateRaw, Z_DEFAULT_WINDOWBITS } = require("node:zlib"); var { isValidClientWindowBits } = require_util7(); + var { MessageSizeExceededError } = require_errors(); var tail = Buffer.from([0, 0, 255, 255]); var kBuffer = /* @__PURE__ */ Symbol("kBuffer"); var kLength = /* @__PURE__ */ Symbol("kLength"); + var kDefaultMaxDecompressedSize = 4 * 1024 * 1024; var PerMessageDeflate = class { /** @type {import('node:zlib').InflateRaw} */ #inflate; #options = {}; - constructor(extensions) { + /** @type {number} */ + #maxDecompressedSize; + /** @type {boolean} */ + #aborted = false; + /** @type {Function|null} */ + #currentCallback = null; + /** + * @param {Map} extensions + * @param {{ maxDecompressedMessageSize?: number }} [options] + */ + constructor(extensions, options = {}) { this.#options.serverNoContextTakeover = extensions.has("server_no_context_takeover"); this.#options.serverMaxWindowBits = extensions.get("server_max_window_bits"); + this.#maxDecompressedSize = options.maxDecompressedMessageSize ?? kDefaultMaxDecompressedSize; } decompress(chunk, fin, callback) { + if (this.#aborted) { + callback(new MessageSizeExceededError()); + return; + } if (!this.#inflate) { let windowBits = Z_DEFAULT_WINDOWBITS; if (this.#options.serverMaxWindowBits) { @@ -17306,26 +17352,51 @@ var require_permessage_deflate = __commonJS({ } windowBits = Number.parseInt(this.#options.serverMaxWindowBits); } - this.#inflate = createInflateRaw({ windowBits }); + try { + this.#inflate = createInflateRaw({ windowBits }); + } catch (err) { + callback(err); + return; + } this.#inflate[kBuffer] = []; this.#inflate[kLength] = 0; this.#inflate.on("data", (data2) => { - this.#inflate[kBuffer].push(data2); + if (this.#aborted) { + return; + } this.#inflate[kLength] += data2.length; + if (this.#inflate[kLength] > this.#maxDecompressedSize) { + this.#aborted = true; + this.#inflate.removeAllListeners(); + this.#inflate.destroy(); + this.#inflate = null; + if (this.#currentCallback) { + const cb = this.#currentCallback; + this.#currentCallback = null; + cb(new MessageSizeExceededError()); + } + return; + } + this.#inflate[kBuffer].push(data2); }); this.#inflate.on("error", (err) => { this.#inflate = null; callback(err); }); } + this.#currentCallback = callback; this.#inflate.write(chunk); if (fin) { this.#inflate.write(tail); } this.#inflate.flush(() => { + if (this.#aborted || !this.#inflate) { + return; + } const full = Buffer.concat(this.#inflate[kBuffer], this.#inflate[kLength]); this.#inflate[kBuffer].length = 0; this.#inflate[kLength] = 0; + this.#currentCallback = null; callback(null, full); }); } @@ -17365,12 +17436,20 @@ var require_receiver = __commonJS({ #fragments = []; /** @type {Map} */ #extensions; - constructor(ws, extensions) { + /** @type {{ maxDecompressedMessageSize?: number }} */ + #options; + /** + * @param {import('./websocket').WebSocket} ws + * @param {Map|null} extensions + * @param {{ maxDecompressedMessageSize?: number }} [options] + */ + constructor(ws, extensions, options = {}) { super(); this.ws = ws; this.#extensions = extensions == null ? /* @__PURE__ */ new Map() : extensions; + this.#options = options; if (this.#extensions.has("permessage-deflate")) { - this.#extensions.set("permessage-deflate", new PerMessageDeflate(extensions)); + this.#extensions.set("permessage-deflate", new PerMessageDeflate(extensions, options)); } } /** @@ -17468,12 +17547,12 @@ var require_receiver = __commonJS({ } const buffer = this.consume(8); const upper = buffer.readUInt32BE(0); - if (upper > 2 ** 31 - 1) { + const lower = buffer.readUInt32BE(4); + if (upper !== 0 || lower > 2 ** 31 - 1) { failWebsocketConnection(this.ws, "Received payload length > 2^31 bytes."); return; } - const lower = buffer.readUInt32BE(4); - this.#info.payloadLength = (upper << 8) + lower; + this.#info.payloadLength = lower; this.#state = parserStates.READ_DATA; } else if (this.#state === parserStates.READ_DATA) { if (this.#byteOffset < this.#info.payloadLength) { @@ -17495,7 +17574,7 @@ var require_receiver = __commonJS({ } else { this.#extensions.get("permessage-deflate").decompress(body, this.#info.fin, (error2, data2) => { if (error2) { - closeWebSocketConnection(this.ws, 1007, error2.message, error2.message.length); + failWebsocketConnection(this.ws, error2.message); return; } this.#fragments.push(data2); @@ -17764,6 +17843,8 @@ var require_websocket = __commonJS({ #extensions = ""; /** @type {SendQueue} */ #sendQueue; + /** @type {{ maxDecompressedMessageSize?: number }} */ + #options; /** * @param {string} url * @param {string|string[]} protocols @@ -17807,6 +17888,9 @@ var require_websocket = __commonJS({ throw new DOMException("Invalid Sec-WebSocket-Protocol value", "SyntaxError"); } this[kWebSocketURL] = new URL(urlRecord.href); + this.#options = { + maxDecompressedMessageSize: options.maxDecompressedMessageSize + }; const client = environmentSettingsObject.settingsObject; this[kController] = establishWebSocketConnection( urlRecord, @@ -17990,7 +18074,7 @@ var require_websocket = __commonJS({ */ #onConnectionEstablished(response, parsedExtensions) { this[kResponse] = response; - const parser = new ByteParser(this, parsedExtensions); + const parser = new ByteParser(this, parsedExtensions, this.#options); parser.on("drain", onParserDrain); parser.on("error", onParserError.bind(this)); response.socket.ws = this; @@ -18065,6 +18149,19 @@ var require_websocket = __commonJS({ { key: "headers", converter: webidl.nullableConverter(webidl.converters.HeadersInit) + }, + { + key: "maxDecompressedMessageSize", + converter: webidl.nullableConverter((V) => { + V = webidl.converters["unsigned long long"](V); + if (V <= 0) { + throw webidl.errors.exception({ + header: "WebSocket constructor", + message: "maxDecompressedMessageSize must be greater than 0" + }); + } + return V; + }) } ]); webidl.converters["DOMString or sequence or WebSocketInit"] = function(V) {