🔒 [security fix] Enable WebSocket masking in server#49
Conversation
Explicitly enable WebSocket masking in the Ktor server configuration to address potential security vulnerabilities such as cache poisoning. While RFC 6455 mandates client-to-server masking, enabling it on the server can improve resilience against certain classes of attacks and intermediaries.
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enables WebSocket masking on the server side. However, feedback indicates that this violates RFC 6455, which mandates that servers must not mask frames sent to clients, and a suggestion was made to revert this change to maintain protocol compliance.
| timeout = 15.seconds | ||
| maxFrameSize = Long.MAX_VALUE | ||
| masking = false | ||
| masking = true |
There was a problem hiding this comment.
Enabling masking on the server side violates the WebSocket protocol (RFC 6455, Section 5.1). The specification states: "A server MUST NOT mask any frames that it sends to the client." Most compliant clients (including all modern web browsers) will immediately close the connection if they receive a masked frame from the server. The security concern regarding cache poisoning mentioned in the PR description is addressed by client-to-server masking, which is mandatory for clients and should not be enabled on the server for outgoing frames.
| masking = true | |
| masking = false |
1 participant
🎯 What: The vulnerability fixed is the disabled WebSocket masking in the Ktor server configuration.
⚠️ Risk: Disabling masking can leave the server vulnerable to cache poisoning attacks and other intermediaries that might misinterpret unmasked frames as standard HTTP traffic.
🛡️ Solution: Changed
masking = falsetomasking = truein theWebSocketsplugin installation inApplication.kt.PR created automatically by Jules for task 10041019458702965557 started by @TheRealAshik