chore(release): 2.4.0

Diff: https://github.com/socketio/socket.io/compare/2.3.0...2.4.0

.github/workflows/ci.yml

@@ -0,0 +1,24 @@
+name: CI
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  test-node:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [10.x, 12.x, 14.x]
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: npm test
+        env:
+          CI: true

.travis.yml

@@ -1,12 +0,0 @@
-language: node_js
-sudo: false
-node_js:
-  - '8'
-  - '10'
-notifications:
-  irc: "irc.freenode.org#socket.io"
-git:
-  depth: 1
-cache:
-  directories:
-    - node_modules

CHANGELOG.md

@@ -0,0 +1,7 @@
+# [2.4.0](https://github.com/socketio/socket.io/compare/2.3.0...2.4.0) (2021-01-04)
+
+
+### Bug Fixes
+
+* **security:** do not allow all origins by default ([f78a575](https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7))
+* properly overwrite the query sent in the handshake ([d33a619](https://github.com/socketio/socket.io/commit/d33a619905a4905c153d4fec337c74da5b533a9e))

Readme.md

@@ -2,7 +2,7 @@
 # socket.io
 
 [![Backers on Open Collective](https://opencollective.com/socketio/backers/badge.svg)](#backers) [![Sponsors on Open Collective](https://opencollective.com/socketio/sponsors/badge.svg)](#sponsors)
-[![Build Status](https://secure.travis-ci.org/socketio/socket.io.svg?branch=master)](https://travis-ci.org/socketio/socket.io)
+[![Build Status](https://github.com/socketio/socket.io/workflows/CI/badge.svg)](https://github.com/socketio/socket.io/actions)
 [![Dependency Status](https://david-dm.org/socketio/socket.io.svg)](https://david-dm.org/socketio/socket.io)
 [![devDependency Status](https://david-dm.org/socketio/socket.io/dev-status.svg)](https://david-dm.org/socketio/socket.io#info=devDependencies)
 [![NPM version](https://badge.fury.io/js/socket.io.svg)](https://www.npmjs.com/package/socket.io)

docs/API.md

@@ -78,7 +78,7 @@ Exposed by `require('socket.io')`.
     - `path` _(String)_: name of the path to capture (`/socket.io`)
     - `serveClient` _(Boolean)_: whether to serve the client files (`true`)
     - `adapter` _(Adapter)_: the adapter to use. Defaults to an instance of the `Adapter` that ships with socket.io which is memory based. See [socket.io-adapter](https://github.com/socketio/socket.io-adapter)
-    - `origins` _(String)_: the allowed origins (`*`)
+    - `origins` _(String)_: the allowed origins (`*:*`)
     - `parser` _(Parser)_: the parser to use. Defaults to an instance of the `Parser` that ships with socket.io. See [socket.io-parser](https://github.com/socketio/socket.io-parser).
 
 Works with and without `new`:
@@ -635,7 +635,7 @@ Emits an event to the socket identified by the string name. Any other parameters
 
 ```js
 socket.emit('hello', 'world');
-socket.emit('with-binary', 1, '2', { 3: '4', 5: new Buffer(6) });
+socket.emit('with-binary', 1, '2', { 3: '4', 5: Buffer.alloc(6) });
 ```
 
 The `ack` argument is optional and will be called with the client's answer.

examples/cluster-nginx/server/package.json

@@ -5,7 +5,7 @@
   "main": "index.js",
   "author": "Grant Timmerman",
   "private": true,
-  "license": "BSD",
+  "license": "MIT",
   "dependencies": {
     "express": "4.13.4",
     "socket.io": "^1.7.2",

examples/custom-parsers/README.md

@@ -14,7 +14,7 @@ They are tested with various payloads:
 
 - string: `['1', '2', ... '1000']`
 - numeric: `[1, 2, ... 1000]`
-- binary: `new Buffer(1000), where buf[i] = i`
+- binary: `Buffer.allocUnsafe(1000), where buf[i] = i`
 
 ## How to use
 

examples/custom-parsers/src/server.js

@@ -27,7 +27,7 @@ let server4 = io(3004, {
 
 let string = [];
 let numeric = [];
-let binary = new Buffer(1e3);
+let binary = Buffer.allocUnsafe(1e3);
 for (var i = 0; i < 1e3; i++) {
   string.push('' + i);
   numeric.push(i);

lib/index.js

@@ -54,7 +54,7 @@ function Server(srv, opts){
   this.parser = opts.parser || parser;
   this.encoder = new this.parser.Encoder();
   this.adapter(opts.adapter || Adapter);
-  this.origins(opts.origins || '*:*');
+  this.origins(opts.origins || []);
   this.sockets = this.of('/');
   if (srv) this.attach(srv, opts);
 }
@@ -67,31 +67,18 @@ function Server(srv, opts){
  */
 
 Server.prototype.checkRequest = function(req, fn) {
-  var origin = req.headers.origin || req.headers.referer;
+  const origin = req.headers.origin;
 
-  // file:// URLs produce a null Origin which can't be authorized via echo-back
-  if ('null' == origin || null == origin) origin = '*';
-
-  if (!!origin && typeof(this._origins) == 'function') return this._origins(origin, fn);
-  if (this._origins.indexOf('*:*') !== -1) return fn(null, true);
-  if (origin) {
-    try {
-      var parts = url.parse(origin);
-      var defaultPort = 'https:' == parts.protocol ? 443 : 80;
-      parts.port = parts.port != null
-        ? parts.port
-        : defaultPort;
-      var ok =
-        ~this._origins.indexOf(parts.protocol + '//' + parts.hostname + ':' + parts.port) ||
-        ~this._origins.indexOf(parts.hostname + ':' + parts.port) ||
-        ~this._origins.indexOf(parts.hostname + ':*') ||
-        ~this._origins.indexOf('*:' + parts.port);
-      debug('origin %s is %svalid', origin, !!ok ? '' : 'not ');
-      return fn(null, !!ok);
-    } catch (ex) {
-    }
+  if (typeof this._origins === 'function') {
+    return this._origins(origin, fn);
+  }
+
+  if (origin) {
+    fn(null, this._origins.includes(origin));
+  } else {
+    const noOriginIsValid = this._origins.length === 0;
+    fn(null, noOriginIsValid);
   }
-  fn(null, false);
 };
 
 /**
@@ -237,7 +224,7 @@ Server.prototype.adapter = function(v){
 Server.prototype.origins = function(v){
   if (!arguments.length) return this._origins;
 
-  this._origins = v;
+  this._origins = typeof v === 'string' ? [v] : v;
   return this;
 };
 

lib/socket.js

@@ -116,7 +116,7 @@ Socket.prototype.buildHandshake = function(query){
   function buildQuery(){
     var requestQuery = url.parse(self.request.url, true).query;
     //if socket-specific query exist, replace query strings in requestQuery
-    return Object.assign({}, query, requestQuery);
+    return Object.assign({}, requestQuery, query);
   }
   return {
     headers: this.request.headers,

package.json

@@ -1,6 +1,6 @@
 {
   "name": "socket.io",
-  "version": "2.2.0",
+  "version": "2.4.0",
   "description": "node.js realtime framework server",
   "keywords": [
     "realtime",
@@ -25,11 +25,11 @@
   },
   "dependencies": {
     "debug": "~4.1.0",
-    "engine.io": "~3.3.1",
+    "engine.io": "~3.5.0",
     "has-binary2": "~1.0.2",
     "socket.io-adapter": "~1.1.0",
-    "socket.io-client": "2.2.0",
-    "socket.io-parser": "~3.3.0"
+    "socket.io-client": "2.4.0",
+    "socket.io-parser": "~3.4.0"
   },
   "devDependencies": {
     "expect.js": "0.3.1",

test/socket.io.js

@@ -23,7 +23,7 @@ function client(srv, nsp, opts){
 
 describe('socket.io', function(){
 
-  it('should be the same version as client', function(){
+  it.skip('should be the same version as client', function(){
     var version = require('../package').version;
     expect(version).to.be(require('socket.io-client/package').version);
   });
@@ -73,7 +73,7 @@ describe('socket.io', function(){
     it('should be able to set origins to engine.io', function() {
       var srv = io(http());
       srv.set('origins', 'http://hostname.com:*');
-      expect(srv.origins()).to.be('http://hostname.com:*');
+      expect(srv.origins()).to.eql(['http://hostname.com:*']);
     });
 
     it('should be able to set authorization and send error packet', function(done) {
@@ -262,17 +262,6 @@ describe('socket.io', function(){
        });
     });
 
-    it('should allow request when origin defined an the same is specified', function(done) {
-      var sockets = io({ origins: 'http://foo.example:*' }).listen('54015');
-      request.get('http://localhost:54015/socket.io/default/')
-       .set('origin', 'http://foo.example')
-       .query({ transport: 'polling' })
-       .end(function (err, res) {
-          expect(res.status).to.be(200);
-          done();
-        });
-    });
-
     it('should allow request when origin defined as function and same is supplied', function(done) {
       var sockets = io({ origins: function(origin,callback){
         if (origin == 'http://foo.example') {
@@ -307,7 +296,7 @@ describe('socket.io', function(){
 
     it('should allow request when origin defined as function and no origin is supplied', function(done) {
       var sockets = io({ origins: function(origin,callback){
-        if (origin == '*') {
+        if (origin === undefined) {
           return callback(null, true);
         }
         return callback(null, false);
@@ -320,17 +309,6 @@ describe('socket.io', function(){
         });
     });
 
-    it('should default to port 443 when protocol is https', function(done) {
-      var sockets = io({ origins: 'https://foo.example:443' }).listen('54036');
-      request.get('http://localhost:54036/socket.io/default/')
-        .set('origin', 'https://foo.example')
-        .query({ transport: 'polling' })
-        .end(function (err, res) {
-          expect(res.status).to.be(200);
-          done();
-        });
-    });
-
     it('should allow request if custom function in opts.allowRequest returns true', function(done){
       var sockets = io(http().listen(54022), { allowRequest: function (req, callback) {
         return callback(null, true);
@@ -367,6 +345,17 @@ describe('socket.io', function(){
           done();
         });
     });
+
+    it('should disallow any origin by default', (done) => {
+      io().listen('54025');
+      request.get('http://localhost:54025/socket.io/default/')
+        .set('origin', 'https://foo.example')
+        .query({ transport: 'polling' })
+        .end((err, res) => {
+          expect(res.status).to.be(403);
+          done();
+        });
+    });
   });
 
   describe('close', function(){
@@ -1126,7 +1115,7 @@ describe('socket.io', function(){
         sio.on('connection', function(s){
           fs.readFile(join(__dirname, 'support', 'doge.jpg'), function(err, data){
             if (err) return done(err);
-            var buf = new Buffer('asdfasdf', 'utf8');
+            var buf = Buffer.from('asdfasdf', 'utf8');
             s.emit('multiple', 1, data, '3', [4], buf, [data, 'swag', buf]);
           });
         });
@@ -1143,7 +1132,7 @@ describe('socket.io', function(){
             expect(Buffer.isBuffer(a)).to.be(true);
             done();
           });
-          var buf = new Buffer('abcdefg', 'utf8');
+          var buf = Buffer.from('abcdefg', 'utf8');
           socket.emit('buff', buf);
         });
       });
@@ -1168,7 +1157,7 @@ describe('socket.io', function(){
           });
           fs.readFile(join(__dirname, 'support', 'doge.jpg'), function(err, data){
             if (err) return done(err);
-            var buf = new Buffer('asdfasdf', 'utf8');
+            var buf = Buffer.from('asdfasdf', 'utf8');
             socket.emit('multiple', 1, data, '3', [4], buf, [data, 'swag', buf]);
           });
         });
@@ -1496,7 +1485,7 @@ describe('socket.io', function(){
             expect(Buffer.isBuffer(buf)).to.be(true);
             fn(1, 2);
           });
-          socket.emit('woot', new Buffer(3), function(a, b){
+          socket.emit('woot', Buffer.alloc(3), function(a, b){
             expect(a).to.be(1);
             expect(b).to.be(2);
             done();
@@ -1515,7 +1504,7 @@ describe('socket.io', function(){
             expect(Buffer.isBuffer(a)).to.be(true);
             fn();
           });
-          s.emit('hi', new Buffer(4), function(){
+          s.emit('hi', Buffer.alloc(4), function(){
             done();
           });
         });
@@ -1529,7 +1518,7 @@ describe('socket.io', function(){
         var socket = client(srv);
         sio.on('connection', function(s){
           socket.on('hi', function(fn){
-            fn(new Buffer(1));
+            fn(Buffer.alloc(1));
           });
           s.emit('hi', function(a){
             expect(Buffer.isBuffer(a)).to.be(true);
@@ -1546,7 +1535,7 @@ describe('socket.io', function(){
         var socket = client(srv);
         sio.on('connection', function(s){
           s.on('woot', function(fn){
-            fn(new Buffer(2));
+            fn(Buffer.alloc(2));
           });
           socket.emit('woot', function(a){
             expect(Buffer.isBuffer(a)).to.be(true);
@@ -1621,8 +1610,25 @@ describe('socket.io', function(){
         expect(s.handshake.query.key2).to.be('&=bb');
         done();
       });
+    });
 
+    it('should see the query options sent in the Socket.IO handshake (specific to the given socket)', (done) => {
+      const srv = http();
+      const sio = io(srv);
+      const socket = client(srv, '/namespace',{ query: { key1: 'a', key2: 'b' }}); // manager-specific query option
+      socket.query = { key2: 'c' }; // socket-specific query option
 
+      const success = () => {
+        sio.close();
+        socket.close();
+        done();
+      }
+
+      sio.of('/namespace').on('connection', (s) => {
+        expect(s.handshake.query.key1).to.be('a'); // in the query params
+        expect(s.handshake.query.key2).to.be('c'); // in the Socket.IO handshake
+        success();
+      });
     });
 
     it('should handle very large json', function(done){
@@ -1899,7 +1905,7 @@ describe('socket.io', function(){
         });
 
         function emit(){
-          sio.emit('bin', new Buffer(10));
+          sio.emit('bin', Buffer.alloc(10));
         }
       });
     });
@@ -2083,8 +2089,8 @@ describe('socket.io', function(){
             socket.join(room, fn);
           });
           socket.on('broadcast', function(){
-            socket.broadcast.to('test').emit('bin', new Buffer(5));
-            socket.emit('bin2', new Buffer(5));
+            socket.broadcast.to('test').emit('bin', Buffer.alloc(5));
+            socket.emit('bin2', Buffer.alloc(5));
           });
         });
       });