Timeout http upgrade requests that are not otherwise handled

Fixes #2956

packages/node_modules/@node-red/runtime/lib/index.js

@@ -64,6 +64,27 @@ var server;
  */
 function init(userSettings,httpServer,_adminApi) {
     server = httpServer;
+
+    if (server && server.on) {
+        // Add a listener to the upgrade event so that we can properly timeout connection
+        // attempts that do not get handled by any nodes in the user's flow.
+        // See #2956
+        server.on('upgrade',(request, socket, head) => {
+            // Add a no-op handler to the error event in case nothing upgrades this socket
+            // before the remote end closes it. This ensures we don't get as uncaughtException
+            socket.on("error", err => {})
+            setTimeout(function() {
+                // If this request has been handled elsewhere, the upgrade will have
+                // been completed and bytes written back to the client.
+                // If nothing has been written on the socket, nothing has handled the
+                // upgrade, so we can consider this an unhandled upgrade.
+                if (socket.bytesWritten === 0) {
+                    socket.destroy();
+                }
+            },userSettings.inboundWebSocketTimeout || 5000)
+        });
+    }
+
     userSettings.version = getVersion();
     settings.init(userSettings);
 

packages/node_modules/node-red/settings.js

@@ -46,6 +46,12 @@ module.exports = {
     //  defaults to 10Mb
     //execMaxBufferSize: 10000000,
 
+    // Timeout in milliseconds for inbound WebSocket connections that do not
+    // match any configured node.
+    //  defaults to 5000
+    //inboundWebSocketTimeout: 5000
+
+
     // The maximum length, in characters, of any message sent to the debug sidebar tab
     debugMaxLength: 1000,