Fix security issue

WebSocket messages should not be processed until `initially` has finished and has a chance to optionally close the connection completely.

Disconnects and protocol-level errors are processed regardless - these occur at a lower level and should be preserved for consistency with connects.

Author: joshkel

hapi-plugin-websocket.js

@@ -215,7 +215,10 @@ const register = async (server, pluginOptions) => {
             delete headers["accept-encoding"]
 
             /*  optionally inject an empty initial message  */
+            let initially;
             if (routeOptions.initially) {
+                let resolveInitially;
+                initially = new Promise(resolve => resolveInitially = resolve);
                 /*  inject incoming WebSocket message as a simulated HTTP request  */
                 server.inject({
                     /*  simulate the hard-coded POST request  */
@@ -236,7 +239,10 @@ const register = async (server, pluginOptions) => {
                 }).then(response => {
                     /*  any HTTP redirection, client error or server error response
                         leads to an immediate WebSocket connection drop  */
-                    if (response.statusCode >= 300) {
+                    if (response.statusCode < 300) {
+                        resolveInitially(true);
+                    } else {
+                        resolveInitially(false);
                         const annotation = `(HAPI handler responded with HTTP status ${response.statusCode})`
                         if (response.statusCode < 400)
                             ws.close(1002, `Protocol Error ${annotation}`)
@@ -252,6 +258,10 @@ const register = async (server, pluginOptions) => {
             if (routeOptions.frame === true) {
                 /*  framed WebSocket communication (correlated request/reply)  */
                 wsf.on("message", async (ev) => {
+                    if (initially && !(await initially)) {
+                        return;
+                    }
+
                     /*  allow application to hook into raw WebSocket frame processing  */
                     routeOptions.frameMessage.call(ctx, { ctx, wss, ws, wsf, req, peers }, ev.frame)
 
@@ -294,6 +304,10 @@ const register = async (server, pluginOptions) => {
             else {
                 /*  plain WebSocket communication (uncorrelated request/response)  */
                 ws.on("message", async (message) => {
+                    if (initially && !(await initially)) {
+                        return;
+                    }
+
                     /*  inject incoming WebSocket message as a simulated HTTP request  */
                     const response = await server.inject({
                         /*  simulate the hard-coded POST request  */
@@ -322,6 +336,7 @@ const register = async (server, pluginOptions) => {
             /*  hook into WebSocket disconnection  */
             ws.on("close", () => {
                 /*  allow application to hook into WebSocket disconnection  */
+                /*  note that this is done even if the `initially` handler closes the connection */
                 routeOptions.disconnect.call(ctx, { ctx, wss, ws, wsf, req, peers })
 
                 /*  stop tracking the peer  */
@@ -330,6 +345,7 @@ const register = async (server, pluginOptions) => {
             })
 
             /*  allow application to hook into WebSocket error processing  */
+            /*  note that this is done even if the `initially` handler closes the connection */
             ws.on("error", (error) => {
                 routeOptions.error.call(ctx, { ctx, wss, ws, wsf, req, peers }, error)
             })