faye/websocket-extensions-ruby
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: faye/websocket-extensions-ruby:0.1.4
Branches Tags
faye/websocket-extensions-ruby:main
faye/websocket-extensions-ruby:0.1.5 faye/websocket-extensions-ruby:0.1.4 faye/websocket-extensions-ruby:0.1.3 faye/websocket-extensions-ruby:0.1.2 faye/websocket-extensions-ruby:0.1.1 faye/websocket-extensions-ruby:0.1.0
...
compare: faye/websocket-extensions-ruby:main
Branches Tags
faye/websocket-extensions-ruby:main
faye/websocket-extensions-ruby:0.1.5 faye/websocket-extensions-ruby:0.1.4 faye/websocket-extensions-ruby:0.1.3 faye/websocket-extensions-ruby:0.1.2 faye/websocket-extensions-ruby:0.1.1 faye/websocket-extensions-ruby:0.1.0

14 Commits
0.1.4 ... main

Author SHA1 Message Date
James Coglan c7e1f86979 Run tests on some additional Ruby versions 2023-09-07 19:31:30 +01:00
James Coglan 3c0fda5b21 Test on Ruby 3.1 2022-02-06 23:44:56 +00:00
James Coglan 5891358639 As of rspec-mocks v3.10.3, mock expectations need to use explicit hashes to avoid confusion with keyword args 2022-02-06 23:36:18 +00:00
James Coglan 84b869effb Switch from Travis CI to GitHub Actions 2021-05-18 00:41:08 +01:00
James Coglan 6ea62a9965 Enable Bundler caching for Travis 2021-03-12 16:37:55 +00:00
James Coglan 1d80737dce Update Ruby versions on Travis 2021-02-23 02:37:51 +00:00
James Coglan a0f23c5d3c Merge pull request #7 from timcraft/patch-1 
Test on ruby 3.0
 2021-01-06 15:32:47 +00:00
timcraft 8b6c706737 Test on ruby 3.0 2021-01-06 14:56:23 +00:00
James Coglan 402222fdd9 Bump version to 0.1.5 2020-06-02 13:52:20 +01:00
James Coglan aa156a439d Remove ReDoS vulnerability in the Sec-WebSocket-Extensions header parser 
There is a regular expression denial of service (ReDoS) vulnerability in
the parser we use to process the `Sec-WebSocket-Extensions` header. It
can be exploited by sending an opening WebSocket handshake to a server
containing a header of the form:

    Sec-WebSocket-Extensions: a;b="\c\c\c\c\c\c\c\c\c\c ...

i.e. a header containing an unclosed string parameter value whose
content is a repeating two-byte sequence of a backslash and some other
character. The parser takes exponential time to reject this header as
invalid, and this can be used to exhaust the server's capacity to
process requests.

This vulnerability has been assigned the identifier CVE-2020-7663.

We believe this flaw stems from the grammar specified for this header.
[RFC 6455][1] defines the grammar for the header as:

    Sec-WebSocket-Extensions = extension-list

    extension-list    = 1#extension
    extension         = extension-token *( ";" extension-param )
    extension-token   = registered-token
    registered-token  = token
    extension-param   = token [ "=" (token | quoted-string) ]

It refers to [RFC 2616][2] for the definitions of `token` and
`quoted-string`, which are:

    token          = 1*<any CHAR except CTLs or separators>
    separators     = "(" | ")" | "<" | ">" | "@"
                   | "," | ";" | ":" | "\" | <">
                   | "/" | "[" | "]" | "?" | "="
                   | "{" | "}" | SP | HT

    quoted-string  = ( <"> *(qdtext | quoted-pair ) <"> )
    qdtext         = <any TEXT except <">>
    quoted-pair    = "\" CHAR

These rely on the `CHAR`, `CTL` and `TEXT` grammars, which are:

    CHAR           = <any US-ASCII character (octets 0 - 127)>
    CTL            = <any US-ASCII control character (octets 0 - 31) and DEL (127)>
    TEXT           = <any OCTET except CTLs, but including LWS>

Other relevant definitions to support these:

    OCTET          = <any 8-bit sequence of data>
    LWS            = [CRLF] 1*( SP | HT )
    CRLF           = CR LF

    HT             = <US-ASCII HT, horizontal-tab (9)>
    LF             = <US-ASCII LF, linefeed (10)>
    CR             = <US-ASCII CR, carriage return (13)>
    SP             = <US-ASCII SP, space (32)>

To expand some of these terms out and write them as regular expressions:

    OCTET         = [\x00-\xFF]
    CHAR          = [\x00-\x7F]
    TEXT          = [\t \x21-\x7E\x80-\xFF]

The allowable bytes for `token` are [\x00-\x7F], except [\x00-\x1F\x7F]
(leaving [\x20-\x7E]) and `separators`, which leaves the following set
of allowed chars:

    ! # $ % & ' * + - . ^ _ ` | ~ [0-9] [A-Z] [a-z]

`quoted-string` contains a repeated pattern of either `qdtext` or
`quoted-pair`. `qdtext` is any `TEXT` byte except <">, and the <">
character is ASCII 34, or 0x22. The <!> character is 0x21. So `qdtext`
can be written either positively as:

    qdtext        = [\t !\x23-\x7E\x80-\xFF]

or negatively, as:

    qdtext        = [^\x00-\x08\x0A-\x1F\x7F"]

We use the negative definition here. The other alternative in the
`quoted-string` pattern is:

    quoted-pair   = \\[\x00-\x7F]

The problem is that the set of bytes matched by `qdtext` includes <\>,
and intersects with the second element of `quoted-pair`. That means the
sequence \c can be matched as either two `qdtext` bytes, or as a single
`quoted-pair`. When the regex engine fails to find a trailing <"> to
close the string, it back-tracks and tries every alternate parse for the
string, which doubles with each pair of bytes in the input.

To fix the ReDoS flaw we need to rewrite the repeating pattern so that
none of its alternate branches can match the same text. For example, we
could try dividing the set of bytes [\x00-\xFF] into those that must not
follow a <\>, those that may follow a <\>, and those that must be
preceded by <\>, and thereby construct a pattern of the form:

    (A|\?B|\C)*

where A, B and C have no characters in common. In our case the three
branch patterns would be:

    A   =   qdtext - CHAR   =   [\x80-\xFF]
    B   =   qdtext & CHAR   =   [\t !\x23-\x7E]
    C   =   CHAR - qdtext   =   [\x00-\x08\x0A-\x1F\x7F"]

These sets do not intersect, and notice <"> appears in set C so must be
preceded by <\>. But we still have a problem: <\> (0x5C) and all the
alphabetic characters are in set B, so the pattern \?B can match all
these:

    c
    \
    \c

So the sequence \c\c\c... still produces exponential back-tracking. It
also fails to parse input like this correctly:

    Sec-WebSocket-Extensions: a; b="c\", d"

Because the grammar allows a single backslash to appear by itself, this
is arguably a syntax error where the parameter `b` has value `c\` and
then a new extension `d` begins with a <"> appearing where it should
not.

So the core problem is with the grammar itself: `qdtext` matches a
single backslash <\>, and `quoted-pair` matches a pair <\\>. So given a
sequence of backslashes there's no canonical parse and the grammar is
ambiguous.

[RFC 7230][3] remedies this problem and makes the grammar clearer.
First, it defines `token` explicitly rather than implicitly:

    token          = 1*tchar

    tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
                   / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
                   / DIGIT / ALPHA

And second, it defines `quoted-string` so that backslashes cannot appear
on their own:

     quoted-string  = DQUOTE *( qdtext / quoted-pair ) DQUOTE
     qdtext         = HTAB / SP /%x21 / %x23-5B / %x5D-7E / obs-text
     obs-text       = %x80-FF
     quoted-pair    = "\" ( HTAB / SP / VCHAR / obs-text )

where VCHAR is any printing ASCII character 0x21-0x7E. Notice `qdtext`
is just our previous definition but with 5C excluded, so it cannot
accept a single backslash.

This commit makes this modification to our matching patterns, and
thereby removes the ReDoS vector. Technically this means it does not
match the grammar of RFC 6455, but we expect this to have little or no
practical impact, especially since the one main protocol extension,
`permessage-deflate` ([RFC 7692][4]), does not have any string-valued
parameters.

[1]: https://tools.ietf.org/html/rfc6455#section-9.1
[2]: https://tools.ietf.org/html/rfc2616#section-2.2
[3]: https://tools.ietf.org/html/rfc7230#section-3.2.6
[4]: https://tools.ietf.org/html/rfc7692
 2020-06-02 13:51:02 +01:00
James Coglan 8174a4a0f9 Test on JRuby 9.{0,1,2} rather than "head" 2020-05-14 23:30:22 +01:00
James Coglan 96059802a6 Update Ruby versions 2.4 to 2.7 on Travis 2020-05-14 17:20:12 +01:00
James Coglan bd6d0acc01 Mention license change in the changelog 2019-06-13 11:40:37 +01:00
James Coglan a8c847876b Formatting change: {...} should have spaces inside the braces 2019-06-11 16:08:53 +01:00
10 changed files with 86 additions and 62 deletions
Expand all files Collapse all files
.github/workflows/test.yml
+34
View File
@@ -0,0 +1,34 @@
on:
- push
- pull_request
jobs:
test:
strategy:
fail-fast: false
matrix:
ruby:
- ruby-2.0
- ruby-2.1
# - ruby-2.2
- ruby-2.3
- ruby-2.4
- ruby-2.5
- ruby-2.6
- ruby-2.7
- ruby-3.0
- ruby-3.1
- ruby-3.2
- jruby-9.1
- jruby-9.2
- jruby-9.3
- jruby-9.4
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: ruby/setup-ruby@v1
with:
ruby-version: ${{ matrix.ruby }}
bundler-cache: true
- run: ruby --version
- run: bundle exec rspec
.travis.yml
-21
View File
@@ -1,21 +0,0 @@
sudo: false
dist: trusty
language: ruby
rvm:
- 1.9.3
- 2.0.0
- 2.1.10
- 2.2.10
- 2.3.8
- 2.4.6
- 2.5.5
- 2.6.3
- jruby-19mode
- jruby-head
before_install:
- '[[ "$(ruby --version)" == *"1.9.3"* ]] && gem update --system 2.4.8 || true'
script:
- bundle exec rspec -c spec
CHANGELOG.md
+5
View File
@@ -1,6 +1,11 @@
### 0.1.5 / 2020-06-02
- Remove a ReDoS vulnerability in the header parser (CVE-2020-7663)
### 0.1.4 / 2019-06-10
- Fix a deprecation warning for using the `=~` operator on `true`
- Change license from MIT to Apache 2.0
### 0.1.3 / 2017-11-11
LICENSE.md
+1 -1
View File
@@ -1,4 +1,4 @@
Copyright 2014-2019 James Coglan
Copyright 2014-2020 James Coglan
Licensed under the Apache License, Version 2.0 (the "License"); you may not use
this file except in compliance with the License. You may obtain a copy of the
README.md
+6 -6
View File
@@ -1,4 +1,4 @@
# websocket-extensions [![Build status](https://secure.travis-ci.org/faye/websocket-extensions-ruby.svg)](http://travis-ci.org/faye/websocket-extensions-ruby)
# websocket-extensions
A minimal framework that supports the implementation of WebSocket extensions in
a way that's decoupled from the main protocol. This library aims to allow a
@@ -227,8 +227,8 @@ then the `permessage-deflate` extension will receive the call:
```rb
ext.create_server_session([
{'server_no_context_takeover' => true, 'server_max_window_bits' => 8},
{'server_max_window_bits' => 15}
{ 'server_no_context_takeover' => true, 'server_max_window_bits' => 8 },
{ 'server_max_window_bits' => 15 }
])
```
@@ -244,8 +244,8 @@ implement the following methods, as well as the *Session* API listed below.
```rb
client_session.generate_offer
# e.g. -> [
# {'server_no_context_takeover' => true, 'server_max_window_bits' => 8},
# {'server_max_window_bits' => 15}
# { 'server_no_context_takeover' => true, 'server_max_window_bits' => 8 },
# { 'server_max_window_bits' => 15 }
# ]
```
@@ -270,7 +270,7 @@ must implement the following methods, as well as the *Session* API listed below.
```rb
server_session.generate_response
# e.g. -> {'server_max_window_bits' => 8}
# e.g. -> { 'server_max_window_bits' => 8 }
```
This returns the set of parameters the server session wants to send in its
lib/websocket/extensions.rb
+6 -6
View File
@@ -38,7 +38,7 @@ module WebSocket
end
if @by_name.has_key?(ext.name)
raise TypeError, %Q{An extension with name "#{ext.name}" is already registered}
raise TypeError, %Q{An extension with name "#{ ext.name }" is already registered}
end
@by_name[ext.name] = ext
@@ -78,18 +78,18 @@ module WebSocket
responses.each_offer do |name, params|
unless record = @index[name]
raise ExtensionError, %Q{Server sent am extension response for unknown extension "#{name}"}
raise ExtensionError, %Q{Server sent am extension response for unknown extension "#{ name } }
end
ext, session = *record
if reserved = reserved?(ext)
raise ExtensionError, %Q{Server sent two extension responses that use the RSV#{reserved[0]} } +
%Q{ bit: "#{reserved[1]}" and "#{ext.name}"}
raise ExtensionError, %Q{Server sent two extension responses that use the RSV#{ reserved[0] }} +
%Q{bit: "#{ reserved[1] }" and "#{ ext.name }"}
end
unless session.activate(params) == true
raise ExtensionError, %Q{Server send unacceptable extension parameters: #{Parser.serialize_params(name, params)}}
raise ExtensionError, %Q{Server send unacceptable extension parameters: #{ Parser.serialize_params(name, params) }}
end
reserve(ext)
@@ -118,7 +118,7 @@ module WebSocket
end
def valid_frame_rsv(frame)
allowed = {:rsv1 => false, :rsv2 => false, :rsv3 => false}
allowed = { :rsv1 => false, :rsv2 => false, :rsv3 => false }
if MESSAGE_OPCODES.include?(frame.opcode)
@sessions.each do |ext, session|
lib/websocket/extensions/parser.rb
+5 -5
View File
@@ -6,10 +6,10 @@ module WebSocket
class Parser
TOKEN = /([!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z]+)/
NOTOKEN = /([^!#\$%&'\*\+\-\.\^_`\|~0-9A-Za-z])/
QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"])*)"/
PARAM = %r{#{TOKEN.source}(?:=(?:#{TOKEN.source}|#{QUOTED.source}))?}
EXT = %r{#{TOKEN.source}(?: *; *#{PARAM.source})*}
EXT_LIST = %r{^#{EXT.source}(?: *, *#{EXT.source})*$}
QUOTED = /"((?:\\[\x00-\x7f]|[^\x00-\x08\x0a-\x1f\x7f"\\])*)"/
PARAM = %r{#{ TOKEN.source }(?:=(?:#{ TOKEN.source }|#{ QUOTED.source }))?}
EXT = %r{#{ TOKEN.source }(?: *; *#{ PARAM.source })*}
EXT_LIST = %r{^#{ EXT.source }(?: *, *#{ EXT.source })*$}
NUMBER = /^-?(0|[1-9][0-9]*)(\.[0-9]+)?$/
ParseError = Class.new(ArgumentError)
@@ -19,7 +19,7 @@ module WebSocket
return offers if header == '' or header.nil?
unless header =~ EXT_LIST
raise ParseError, "Invalid Sec-WebSocket-Extensions header: #{header}"
raise ParseError, "Invalid Sec-WebSocket-Extensions header: #{ header }"
end
scanner = StringScanner.new(header)
spec/websocket/extensions/parser_spec.rb
+20 -14
View File
@@ -20,62 +20,68 @@ describe WebSocket::Extensions::Parser do
it "parses one offer with no params" do
expect(parse 'a').to eq [
{:name => "a", :params => {}}
{ :name => "a", :params => {} }
]
end
it "parses two offers with no params" do
expect(parse 'a, b').to eq [
{:name => "a", :params => {}}, {:name => "b", :params => {}}
{ :name => "a", :params => {} }, { :name => "b", :params => {} }
]
end
it "parses a duplicate offer name" do
expect(parse 'a, a').to eq [
{:name => "a", :params => {}},
{:name => "a", :params => {}}
{ :name => "a", :params => {} },
{ :name => "a", :params => {} }
]
end
it "parses a flag" do
expect(parse 'a; b').to eq [
{:name => "a", :params => {"b" => true}}
{ :name => "a", :params => { "b" => true } }
]
end
it "parses an unquoted param" do
expect(parse 'a; b=1').to eq [
{:name => "a", :params => {"b" => 1}}
{ :name => "a", :params => { "b" => 1 } }
]
end
it "parses a quoted param" do
expect(parse 'a; b="hi, \"there"').to eq [
{:name => "a", :params => {"b" => 'hi, "there'}}
{ :name => "a", :params => { "b" => 'hi, "there' } }
]
end
it "parses multiple params" do
expect(parse 'a; b; c=1; d="hi"').to eq [
{:name => "a", :params => {"b" => true, "c" => 1, "d" => "hi"}}
{ :name => "a", :params => { "b" => true, "c" => 1, "d" => "hi" } }
]
end
it "parses duplicate params" do
expect(parse 'a; b; c=1; b="hi"').to eq [
{:name => "a", :params => {"b" => [true, "hi"], "c" => 1}}
{ :name => "a", :params => { "b" => [true, "hi"], "c" => 1 } }
]
end
it "parses multiple complex offers" do
expect(parse 'a; b=1, c, b; d, c; e="hi, there"; e, a; b').to eq [
{:name => "a", :params => {"b" => 1}},
{:name => "c", :params => {}},
{:name => "b", :params => {"d" => true}},
{:name => "c", :params => {"e" => ['hi, there', true]}},
{:name => "a", :params => {"b" => true}}
{ :name => "a", :params => { "b" => 1 } },
{ :name => "c", :params => {} },
{ :name => "b", :params => { "d" => true } },
{ :name => "c", :params => { "e" => ['hi, there', true] } },
{ :name => "a", :params => { "b" => true } }
]
end
it "rejects a string missing its closing quote" do
expect {
parse "foo; bar=\"fooa\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a\\a"
}.to raise_error(WebSocket::Extensions::Parser::ParseError)
end
end
describe :serialize_params do
spec/websocket/extensions_spec.rb
+8 -8
View File
@@ -39,7 +39,7 @@ describe WebSocket::Extensions do
describe "client sessions" do
before do
@offer = {"mode" => "compress"}
@offer = { "mode" => "compress" }
allow(@ext).to receive(:create_client_session).and_return(@session)
allow(@session).to receive(:generate_offer).and_return(@offer)
@extensions.add(@ext)
@@ -134,18 +134,18 @@ describe WebSocket::Extensions do
end
it "activates one session with a boolean param" do
expect(@session).to receive(:activate).with("gzip" => true).exactly(1).and_return(true)
expect(@session).to receive(:activate).with({ "gzip" => true }).exactly(1).and_return(true)
@extensions.activate("deflate; gzip")
end
it "activates one session with a string param" do
expect(@session).to receive(:activate).with("mode" => "compress").exactly(1).and_return(true)
expect(@session).to receive(:activate).with({ "mode" => "compress" }).exactly(1).and_return(true)
@extensions.activate("deflate; mode=compress")
end
it "activate multiple sessions" do
expect(@session).to receive(:activate).with("a" => true).exactly(1).and_return(true)
expect(@nonconflict_session).to receive(:activate).with("b" => true).exactly(1).and_return(true)
expect(@session).to receive(:activate).with({ "a" => true }).exactly(1).and_return(true)
expect(@nonconflict_session).to receive(:activate).with({ "b" => true }).exactly(1).and_return(true)
@extensions.activate("deflate; a, reverse; b")
end
@@ -248,7 +248,7 @@ describe WebSocket::Extensions do
describe "server sessions" do
before do
@response = {"mode" => "compress"}
@response = { "mode" => "compress" }
allow(@ext).to receive(:create_server_session).and_return(@session)
allow(@session).to receive(:generate_response).and_return(@response)
@@ -269,12 +269,12 @@ describe WebSocket::Extensions do
describe :generate_response do
it "asks the extension for a server session with the offer" do
expect(@ext).to receive(:create_server_session).with([{"flag" => true}]).exactly(1).and_return(@session)
expect(@ext).to receive(:create_server_session).with([{ "flag" => true }]).exactly(1).and_return(@session)
@extensions.generate_response("deflate; flag")
end
it "asks the extension for a server session with multiple offers" do
expect(@ext).to receive(:create_server_session).with([{"a" => true}, {"b" => true}]).exactly(1).and_return(@session)
expect(@ext).to receive(:create_server_session).with([{ "a" => true }, { "b" => true }]).exactly(1).and_return(@session)
@extensions.generate_response("deflate; a, deflate; b")
end
websocket-extensions.gemspec
+1 -1
View File
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'websocket-extensions'
s.version = '0.1.4'
s.version = '0.1.5'
s.summary = 'Generic extension manager for WebSocket connections'
s.author = 'James Coglan'
s.email = 'jcoglan@gmail.com'