Return 400 on binary GET over websockets

OADA · Jun 25, 2021 · fca7cf1 · fca7cf1
1 parent 122a691
commit fca7cf1
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/oada/services/http-handler/src/websockets.ts b/oada/services/http-handler/src/websockets.ts
@@ -21,6 +21,7 @@ import fastifyWebsocket from 'fastify-websocket';
 import _debug from 'debug';
 import jsonpointer from 'jsonpointer';
 import type LightMyRequest from 'light-my-request';
+import { is } from 'type-is';
 
 import SocketRequest, {
   // Runtime check for request type
@@ -408,6 +409,17 @@ const plugin: FastifyPluginAsync = async function (fastify) {
             // @oada/client gets very angry if a header is anything but a string
             headers[k] = v!.toString();
           }
+          // Can only send JSON over websockets
+          const type = res.headers['content-type']?.toString();
+          if (type && !is(type, ['json', '+json'])) {
+            sendResponse({
+              requestId: msg.requestId,
+              // Bad Request
+              status: 400,
+              headers,
+            });
+            return;
+          }
           sendResponse({
             requestId: msg.requestId,
             status: res.statusCode,