You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add these checks directly inline in WebSockAdapter.upgrade/4. This has the upside of structurally preventing invalid upgrades, but the downside that it's hard to surface the error up to the caller without breaking an existing API (unless we return it in :private or similar).
Add a WebSockAdapter.validate_upgrade/1 which takes a Plug.Conn and returns any errors for the caller to process. We'd also have to tee up a separate PR to Phoenix to make use of this validation in Phoenix.Transport.WebSocket.
Do # 2, but adding the validation function into a new Plug.WebSocketHelper module. The bonus here is that I can hoist up Bandit's existing checks for this and DRY it all up.
Comments / preferences welcome (@chrismccord, relevant to your interests).
The text was updated successfully, but these errors were encountered:
To help mitigate mtrudel/bandit#149, we should be validating WebSocket upgrade requests against RFC6455§4.2.1 at the time the upgrade is requested, and not deferring to the underlying server's checks (which will be run after the Plug life cycle completes). The checks required are already implemented at https://github.com/mtrudel/bandit/blob/main/lib/bandit/websocket/handshake.ex#L15-L34 for reference.
There are a couple of ways we can approach this:
WebSockAdapter.upgrade/4
. This has the upside of structurally preventing invalid upgrades, but the downside that it's hard to surface the error up to the caller without breaking an existing API (unless we return it in:private
or similar).WebSockAdapter.validate_upgrade/1
which takes aPlug.Conn
and returns any errors for the caller to process. We'd also have to tee up a separate PR to Phoenix to make use of this validation inPhoenix.Transport.WebSocket
.Plug.WebSocketHelper
module. The bonus here is that I can hoist up Bandit's existing checks for this and DRY it all up.Comments / preferences welcome (@chrismccord, relevant to your interests).
The text was updated successfully, but these errors were encountered: