Bump version to 0.6.4.

In draft-75/76, passing a number to text() or frame() results in the
sender allocating a buffer of that size and sending it to the other
peer, leaking random blocks of memory.

In hybi, a call to text(), binary() or ping() with a number will fail,
because the input is expected to be a buffer and so an internal method
call fails.

Both kinds of driver now convert numbers to strings, which is what
browsers do with calls to send().

.travis.yml

@@ -1,3 +1,4 @@
+sudo: false
 language: node_js
 
 node_js:
@@ -5,7 +6,11 @@ node_js:
   - "0.8"
   - "0.10"
   - "0.12"
-  - "iojs"
+  - "iojs-1"
+  - "iojs-2"
+  - "iojs-3"
+  - "4"
+  - "5"
 
 before_install:
   - '[ "${TRAVIS_NODE_VERSION}" = "0.6" ] && npm conf set strict-ssl false || true'

CHANGELOG.md

@@ -1,3 +1,16 @@
+### 0.6.4 / 2016-01-07
+
+* If a number is given as input for a frame payload, send it as a string
+
+### 0.6.3 / 2015-11-06
+
+* Reject draft-76 handshakes if their Sec-WebSocket-Key headers are invalid
+* Throw a more helpful error if a client is created with an invalid URL
+
+### 0.6.2 / 2015-07-18
+
+* When the peer sends a close frame with no error code, emit 1000
+
 ### 0.6.1 / 2015-07-13
 
 * Use the `buffer.{read,write}UInt{16,32}BE` methods for reading/writing numbers

CODE_OF_CONDUCT.md

@@ -0,0 +1,4 @@
+# Code of Conduct
+
+All projects under the [Faye](https://github.com/faye) umbrella are covered by
+the [Code of Conduct](https://github.com/faye/code-of-conduct).

README.md

@@ -363,7 +363,7 @@ using the `Sec-WebSocket-Protocol` mechanism. This value becomes available after
 
 (The MIT License)
 
-Copyright (c) 2010-2015 James Coglan
+Copyright (c) 2010-2016 James Coglan
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the 'Software'), to deal in

lib/websocket/driver/client.js

@@ -20,6 +20,9 @@ var Client = function(_url, options) {
   var uri  = url.parse(this.url),
       auth = uri.auth && new Buffer(uri.auth, 'utf8').toString('base64');
 
+  if (this.VALID_PROTOCOLS.indexOf(uri.protocol) < 0)
+    throw new Error(this.url + ' is not a valid WebSocket URL');
+
   this._pathname = (uri.pathname || '/') + (uri.search || '');
 
   this._headers.set('Host', uri.host);
@@ -41,6 +44,8 @@ Client.generateKey = function() {
 };
 
 var instance = {
+  VALID_PROTOCOLS: ['ws:', 'wss:'],
+
   proxy: function(origin, options) {
     return new Proxy(this, origin, options);
   },

lib/websocket/driver/draft75.js

@@ -83,6 +83,8 @@ var instance = {
     if (this.readyState === 0) return this._queue([buffer]);
     if (this.readyState > 1) return false;
 
+    if (typeof buffer !== 'string') buffer = buffer.toString();
+
     var payload = new Buffer(buffer, 'utf8'),
         frame   = new Buffer(payload.length + 2);
 

lib/websocket/driver/draft76.js

@@ -49,6 +49,24 @@ var instance = {
   },
 
   _handshakeResponse: function() {
+    var headers = this._request.headers,
+
+        key1    = headers['sec-websocket-key1'],
+        number1 = numberFromKey(key1),
+        spaces1 = spacesInKey(key1),
+
+        key2    = headers['sec-websocket-key2'],
+        number2 = numberFromKey(key2),
+        spaces2 = spacesInKey(key2);
+
+    if (number1 % spaces1 !== 0 || number2 % spaces2 !== 0) {
+      this.emit('error', new Error('Client sent invalid Sec-WebSocket-Key headers'));
+      this.close();
+      return null;
+    }
+
+    this._keyValues = [number1 / spaces1, number2 / spaces2];
+
     var start   = 'HTTP/1.1 101 WebSocket Protocol Handshake',
         headers = [start, this._headers.toString(), ''];
 
@@ -58,16 +76,11 @@ var instance = {
   _handshakeSignature: function() {
     if (this._body.length < this.BODY_SIZE) return null;
 
-    var headers = this._request.headers,
-        key1    = headers['sec-websocket-key1'],
-        value1  = numberFromKey(key1) / spacesInKey(key1),
-        key2    = headers['sec-websocket-key2'],
-        value2  = numberFromKey(key2) / spacesInKey(key2),
-        md5     = crypto.createHash('md5'),
-        buffer  = new Buffer(8 + this.BODY_SIZE);
+    var md5    = crypto.createHash('md5'),
+        buffer = new Buffer(8 + this.BODY_SIZE);
 
-    buffer.writeUInt32BE(value1, 0);
-    buffer.writeUInt32BE(value2, 4);
+    buffer.writeUInt32BE(this._keyValues[0], 0);
+    buffer.writeUInt32BE(this._keyValues[1], 4);
     new Buffer(this._body).copy(buffer, 8, 0, this.BODY_SIZE);
 
     md5.update(buffer);

lib/websocket/driver/hybi.js

@@ -94,6 +94,7 @@ var instance = {
   },
 
   ERROR_CODES:        [1000, 1001, 1002, 1003, 1007, 1008, 1009, 1010, 1011],
+  DEFAULT_ERROR_CODE: 1000,
   MIN_RESERVED_ERROR: 3000,
   MAX_RESERVED_ERROR: 4999,
 
@@ -191,7 +192,8 @@ var instance = {
     if (this.readyState <= 0) return this._queue([buffer, type, code]);
     if (this.readyState > 2) return false;
 
-    if (buffer instanceof Array) buffer = new Buffer(buffer);
+    if (buffer instanceof Array)    buffer = new Buffer(buffer);
+    if (typeof buffer === 'number') buffer = buffer.toString();
 
     var message = new Message(),
         isText  = (typeof buffer === 'string'),
@@ -403,7 +405,7 @@ var instance = {
       return this._emitMessage(this._message);
 
     if (opcode === this.OPCODES.close) {
-      code   = (payload.length >= 2) ? 256 * payload[0] + payload[1] : null;
+      code   = (payload.length >= 2) ? payload.readUInt16BE(0) : null;
       reason = (payload.length > 2) ? this._encode(payload.slice(2)) : null;
 
       if (!(payload.length === 0) &&
@@ -414,7 +416,7 @@ var instance = {
       if (payload.length > 125 || (payload.length > 2 && !reason))
         code = this.ERRORS.protocol_error;
 
-      this._shutdown(code, reason || '');
+      this._shutdown(code || this.DEFAULT_ERROR_CODE, reason || '');
     }
 
     if (opcode === this.OPCODES.ping) {

package.json

@@ -1,11 +1,11 @@
 { "name"            : "websocket-driver"
 , "description"     : "WebSocket protocol handler with pluggable I/O"
-, "homepage"        : "http://github.com/faye/websocket-driver-node"
+, "homepage"        : "https://github.com/faye/websocket-driver-node"
 , "author"          : "James Coglan <jcoglan@gmail.com> (http://jcoglan.com/)"
 , "keywords"        : ["websocket"]
 , "license"         : "MIT"
 
-, "version"         : "0.6.1"
+, "version"         : "0.6.4"
 , "engines"         : {"node": ">=0.6.0"}
 , "main"            : "./lib/websocket/driver"
 , "dependencies"    : {"websocket-extensions": ">=0.1.1"}
@@ -17,5 +17,5 @@
                       , "url"   : "git://github.com/faye/websocket-driver-node.git"
                       }
 
-, "bugs"            : "http://github.com/faye/websocket-driver-node/issues"
+, "bugs"            : "https://github.com/faye/websocket-driver-node/issues"
 }

spec/websocket/driver/client_spec.js

@@ -109,6 +109,16 @@ test.describe("Client", function() { with(this) {
         }})
       }})
 
+      describe("with an invalid URL", function() { with(this) {
+        define("url", function() { return "stream.wikimedia.org/rc" })
+
+        it("throws an error", function() { with(this) {
+          var message
+          try { driver() } catch (e) { message = e.message }
+          assertEqual( "stream.wikimedia.org/rc is not a valid WebSocket URL", message )
+        }})
+      }})
+
       describe("with custom headers", function() { with(this) {
         before(function() { with(this) {
           driver().setHeader("User-Agent", "Chrome")

spec/websocket/driver/draft75_examples.js

@@ -77,6 +77,11 @@ test.describe("draft-75", function() { with(this) {
           assertEqual( [0x00, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x3d, 0x20, 0xef, 0xa3, 0xbf, 0xff], collector().bytes )
         }})
 
+        it("converts numbers to strings", function() { with(this) {
+          driver().frame(50)
+          assertEqual( [0x00, 0x35, 0x30, 0xff], collector().bytes )
+        }})
+
         it("returns true", function() { with(this) {
           assertEqual( true, driver().frame("lol") )
         }})

spec/websocket/driver/draft76_spec.js

@@ -34,6 +34,7 @@ test.describe("Draft76", function() { with(this) {
     var self = this
     this._driver.on('open',    function(e) { self.open = true })
     this._driver.on('message', function(e) { self.message += e.data })
+    this._driver.on('error',   function(e) { self.error = e })
     this._driver.on('close',   function(e) { self.close = true })
     this._driver.io.pipe(this.collector())
     this._driver.io.write(this.body())
@@ -81,6 +82,37 @@ test.describe("Draft76", function() { with(this) {
         driver().start()
         assertEqual( "hixie-76", driver().version )
       }})
+
+      describe("with an invalid key header", function() { with(this) {
+        before(function() { with(this) {
+          request().headers["sec-websocket-key1"] = "2 L785 8o% s9Sy9@V. 4<1P5"
+        }})
+
+        it("writes a closing frame to the socket", function() { with(this) {
+          expect(driver().io, "emit").given("data", buffer([0xff, 0x00]))
+          driver().start()
+        }})
+
+        it("does not trigger the onopen event", function() { with(this) {
+          driver().start()
+          assertEqual( false, open )
+        }})
+
+        it("triggers the onerror event", function() { with(this) {
+          driver().start()
+          assertEqual( "Client sent invalid Sec-WebSocket-Key headers", error.message )
+        }})
+
+        it("triggers the onclose event", function() { with(this) {
+          driver().start()
+          assertEqual( true, close )
+        }})
+
+        it("changes the state to closed", function() { with(this) {
+          driver().start()
+          assertEqual( "closed", driver().getState()  )
+        }})
+      }})
     }})
 
     describe("frame", function() { with(this) {

spec/websocket/driver/hybi_spec.js

@@ -420,6 +420,11 @@ test.describe("Hybi", function() { with(this) {
         assertEqual( [0x82, 0x03, 0x48, 0x65, 0x6c], collector().bytes )
       }})
 
+      it("converts numbers to strings", function() { with(this) {
+        driver().frame(50)
+        assertEqual( [0x81, 0x02, 0x35, 0x30], collector().bytes )
+      }})
+
       it("encodes multibyte characters correctly", function() { with(this) {
         driver().frame("Apple = ")
         assertEqual( [0x81, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x3d, 0x20, 0xef, 0xa3, 0xbf], collector().bytes )
@@ -452,6 +457,11 @@ test.describe("Hybi", function() { with(this) {
         assertEqual( [0x89, 0x09, 0x6d, 0x69, 0x63, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6b], collector().bytes )
       }})
 
+      it("converts numbers to strings", function() { with(this) {
+        driver().ping(50)
+        assertEqual( [0x89, 0x02, 0x35, 0x30], collector().bytes )
+      }})
+
       it("returns true", function() { with(this) {
         assertEqual( true, driver().ping() )
       }})
@@ -595,6 +605,34 @@ test.describe("Hybi", function() { with(this) {
         this.driver().parse([0x88, 0x04, 0x03, 0xe9, 0x4f, 0x4b])
       }})
     }})
+
+    describe("receiving a close frame with a too-short payload", function() { with(this) {
+      before(function() {
+        this.driver().parse([0x88, 0x01, 0x03])
+      })
+
+      it("triggers the onclose event with a protocol error", function() { with(this) {
+        assertEqual( [1002, ""], close )
+      }})
+
+      it("changes the state to closed", function() { with(this) {
+        assertEqual( "closed", driver().getState() )
+      }})
+    }})
+
+    describe("receiving a close frame with no code", function() { with(this) {
+      before(function() { with(this) {
+        this.driver().parse([0x88, 0x00])
+      }})
+
+      it("triggers the onclose event with code 1000", function() { with(this) {
+        assertEqual( [1000, ""], close )
+      }})
+
+      it("changes the state to closed", function() { with(this) {
+        assertEqual( "closed", driver().getState() )
+      }})
+    }})
   }})
 
   describe("in the closed state", function() { with(this) {