Timeout http upgrade requests that are not otherwise handled

Fixes #2956
2025-03-01 10:36:34 +00:00 · 2021-04-26 11:45:28 +01:00
parent bbac49ff38
commit 4cb8e99430
2 changed files with 27 additions and 0 deletions
--- a/packages/node_modules/@node-red/runtime/lib/index.js
+++ b/packages/node_modules/@node-red/runtime/lib/index.js
@@ -64,6 +64,27 @@ var server;
 */
 function init(userSettings,httpServer,_adminApi) {
    server = httpServer;
+
+    if (server && server.on) {
+        // Add a listener to the upgrade event so that we can properly timeout connection
+        // attempts that do not get handled by any nodes in the user's flow.
+        // See #2956
+        server.on('upgrade',(request, socket, head) => {
+            // Add a no-op handler to the error event in case nothing upgrades this socket
+            // before the remote end closes it. This ensures we don't get as uncaughtException
+            socket.on("error", err => {})
+            setTimeout(function() {
+                // If this request has been handled elsewhere, the upgrade will have
+                // been completed and bytes written back to the client.
+                // If nothing has been written on the socket, nothing has handled the
+                // upgrade, so we can consider this an unhandled upgrade.
+                if (socket.bytesWritten === 0) {
+                    socket.destroy();
+                }
+            },userSettings.inboundWebSocketTimeout || 5000)
+        });
+    }
+
    userSettings.version = getVersion();
    settings.init(userSettings);