fix(eio): handle invalid packets when upgrading to WebTransport

darrachequesne · darrachequesne · commit 1fa1f46cd420 · 2026-04-16T09:08:40.000+02:00
diff --git a/packages/engine.io/lib/server.ts b/packages/engine.io/lib/server.ts
@@ -166,6 +166,11 @@ function parseSessionId(data: string): string | undefined {
   } catch (e) {}
 }
 
+// Object.hasOwn() was introduced in Node.js 16.9
+function hasOwn(obj: Record<string, any>, key: string): boolean {
+  return Object.prototype.hasOwnProperty.call(obj, key);
+}
+
 export abstract class BaseServer extends EventEmitter {
   public opts: ServerOptions;
 
@@ -583,7 +588,7 @@ export abstract class BaseServer extends EventEmitter {
 
     const sid = parseSessionId(value.data);
 
-    if (!sid) {
+    if (!sid || !hasOwn(this.clients, sid)) {
       debug("invalid WebTransport handshake");
       return session.close();
     }
diff --git a/packages/engine.io/test/webtransport.mjs b/packages/engine.io/test/webtransport.mjs
@@ -302,6 +302,96 @@ describe("WebTransport", () => {
     );
   });
 
+  it("should close a connection that sends an invalid upgrade", (done) => {
+    setupServer(
+      {
+        transports: ["polling", "websocket", "webtransport"],
+      },
+      async ({ engine, h3Server, certificate }) => {
+        const httpServer = await createHttpServer(h3Server.port);
+        engine.attach(httpServer);
+
+        request(`http://localhost:${h3Server.port}/engine.io/`)
+          .query({ EIO: 4, transport: "polling" })
+          .end(async (_, res) => {
+            const payload = JSON.parse(res.text.substring(1));
+
+            expect(payload.upgrades).to.eql(["websocket", "webtransport"]);
+
+            const client = new WebTransport(
+              `https://127.0.0.1:${h3Server.port}/engine.io/`,
+              {
+                serverCertificateHashes: [
+                  {
+                    algorithm: "sha-256",
+                    value: certificate.hash,
+                  },
+                ],
+              },
+            );
+
+            await client.ready;
+
+            const stream = await client.createBidirectionalStream();
+            const writer = stream.writable.getWriter();
+
+            await writer.write(Uint8Array.of(31));
+            await writer.write(
+              TEXT_ENCODER.encode(`0{"sid":"11111111111111111111"}`),
+            );
+
+            client.closed.then(() => {
+              success(engine, h3Server, done);
+            });
+          });
+      },
+    );
+  });
+
+  it("should close a connection that sends an invalid upgrade (bis)", (done) => {
+    setupServer(
+      {
+        transports: ["polling", "websocket", "webtransport"],
+      },
+      async ({ engine, h3Server, certificate }) => {
+        const httpServer = await createHttpServer(h3Server.port);
+        engine.attach(httpServer);
+
+        request(`http://localhost:${h3Server.port}/engine.io/`)
+          .query({ EIO: 4, transport: "polling" })
+          .end(async (_, res) => {
+            const payload = JSON.parse(res.text.substring(1));
+
+            expect(payload.upgrades).to.eql(["websocket", "webtransport"]);
+
+            const client = new WebTransport(
+              `https://127.0.0.1:${h3Server.port}/engine.io/`,
+              {
+                serverCertificateHashes: [
+                  {
+                    algorithm: "sha-256",
+                    value: certificate.hash,
+                  },
+                ],
+              },
+            );
+
+            await client.ready;
+
+            const stream = await client.createBidirectionalStream();
+            const writer = stream.writable.getWriter();
+
+            await writer.write(Uint8Array.of(20));
+            await writer.write(TEXT_ENCODER.encode(`0{"sid":"__proto__"}`));
+
+            client.closed.then(() => {
+              success(engine, h3Server, done);
+            });
+          });
+      },
+    );
+  });
+
   it("should send ping/pong packets", (done) => {
     setup(
       {
