Merge pull request #291 from nhooyr/dos-56b8

Fix DOS attack from malicious pongs

Merge pull request #291 from nhooyr/dos-56b8
3604edcb · Anmol Sethi · GitHub · e4c3b0f8 · b0d7a271 · 3604edcb
Unverified Commit 3604edcb authored Apr 7, 2021 by Anmol Sethi Committed by GitHub Apr 7, 2021
--- a/ci/container/Dockerfile
+++ b/ci/container/Dockerfile
@@ -10,5 +10,5 @@ RUN go get golang.org/x/tools/cmd/stringer
 RUN go get golang.org/x/lint/golint
 RUN go get github.com/agnivade/wasmbrowsertest

-RUN npm install -g prettier
-RUN npm install -g netlify-cli
+RUN npm --unsafe-perm=true install -g prettier
+RUN npm --unsafe-perm=true install -g netlify-cli
--- a/conn_notjs.go
+++ b/conn_notjs.go
@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {
 }

 func (c *Conn) ping(ctx context.Context, p string) error {
-	pong := make(chan struct{})
+	pong := make(chan struct{}, 1)

 	c.activePingsMu.Lock()
 	c.activePings[p] = pong

--- a/read.go
+++ b/read.go
@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {
 		pong, ok := c.activePings[string(b)]
 		c.activePingsMu.Unlock()
 		if ok {
-			close(pong)
+			select {
+			case pong <- struct{}{}:
+			default:
+			}
 		}
 		return nil
 	}