Merge pull request #291 from nhooyr/dos-56b8

nhooyr · web-flow · commit 3604edcb8574 · 2021-04-07T12:02:58.000-04:00
Fix DOS attack from malicious pongs
diff --git a/ci/container/Dockerfile b/ci/container/Dockerfile
@@ -10,5 +10,5 @@ RUN go get golang.org/x/tools/cmd/stringer
 RUN go get golang.org/x/lint/golint
 RUN go get github.com/agnivade/wasmbrowsertest
 
-RUN npm install -g prettier
-RUN npm install -g netlify-cli
+RUN npm --unsafe-perm=true install -g prettier
+RUN npm --unsafe-perm=true install -g netlify-cli
diff --git a/conn_notjs.go b/conn_notjs.go
@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {
 }
 
 func (c *Conn) ping(ctx context.Context, p string) error {
-	pong := make(chan struct{})
+	pong := make(chan struct{}, 1)
 
 	c.activePingsMu.Lock()
 	c.activePings[p] = pong
diff --git a/read.go b/read.go
@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {
 		pong, ok := c.activePings[string(b)]
 		c.activePingsMu.Unlock()
 		if ok {
-			close(pong)
+			select {
+			case pong <- struct{}{}:
+			default:
+			}
 		}
 		return nil
 	}

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {`
`189`	`189`	`}`
`190`	`190`
`191`	`191`	`func (c *Conn) ping(ctx context.Context, p string) error {`
`192`		`- pong := make(chan struct{})`
	`192`	`+ pong := make(chan struct{}, 1)`
`193`	`193`
`194`	`194`	`c.activePingsMu.Lock()`
`195`	`195`	`c.activePings[p] = pong`
Original file line number	Diff line number	Diff line change
`@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {`
`271`	`271`	`pong, ok := c.activePings[string(b)]`
`272`	`272`	`c.activePingsMu.Unlock()`
`273`	`273`	`if ok {`
`274`		`- close(pong)`
	`274`	`+ select {`
	`275`	`+ case pong <- struct{}{}:`
	`276`	`+ default:`
	`277`	`+ }`
`275`	`278`	`}`
`276`	`279`	`return nil`
`277`	`280`	`}`