feat: support reading from websockets

src/runtime/server/middleware/xssValidator.ts

@@ -27,14 +27,17 @@ export default defineEventHandler(async(event) => {
         const valueToFilter =
           event.node.req.method === 'GET'
             ? getQuery(event)
+            : event.node.req.headers['upgrade'] === "websocket"
+            ? event.node.req.socket.read().toString('utf8')
             : event.node.req.headers['content-type']?.includes(
                 'multipart/form-data'
               )
             ? await readMultipartFormData(event)
             : await readBody(event)
         // Fix for problems when one middleware is returning an error and it is catched in the next
-        if (valueToFilter && Object.keys(valueToFilter).length) {
+        if (valueToFilter && (typeof valueToFilter === "object" && Object.keys(valueToFilter).length || valueToFilter.length)) {
           if (
+            typeof valueToFilter === "object" &&
             valueToFilter.statusMessage &&
             valueToFilter.statusMessage !== 'Bad Request'
           ) {

test/fixtures/xss/composables/socket.ts

@@ -0,0 +1,9 @@
+export function useSocket(): ReturnType<typeof import('socket.io-client')['io']> {
+  const { $socket } = useNuxtApp()
+  return $socket
+}
+
+export function useIO(): typeof import('socket.io-client')['io'] {
+  const { $io } = useNuxtApp()
+  return $io
+}

test/fixtures/xss/package.json

@@ -1,5 +1,11 @@
 {
   "private": true,
   "name": "basic",
-  "type": "module"
+  "type": "module",
+  "dependencies": {
+    "eiows": "^7.0.3",
+    "engine.io": "^6.5.4",
+    "socket.io": "^4.7.5",
+    "socket.io-client": "^4.7.5"
+  }
 }

test/fixtures/xss/pages/index.vue

@@ -1,3 +1,24 @@
 <template>
-  <div>basic</div>
+  <div>
+    basic
+    <div>
+      <button @click="onClick">
+        Click to emit event
+      </button>
+    </div>
+  </div>
 </template>
+
+<script lang="ts" setup>
+const io = useIO()
+
+const onClick = () => {
+  const socket = io()
+
+  socket.on('connect', () => {
+    socket.emit('id:req', (res) => {
+      console.log(res)
+    })
+  })
+}
+</script>

test/fixtures/xss/plugins/socket.client.ts

@@ -0,0 +1,15 @@
+import { io } from 'socket.io-client'
+
+export default defineNuxtPlugin(async (nuxtApp) => {
+  const socket = io()
+
+  nuxtApp.provide('socket', socket)
+  nuxtApp.provide('io', io)
+})
+
+declare module '#app' {
+  interface NuxtApp {
+    $io: typeof import('socket.io-client')['io']
+    $socket: ReturnType<typeof import('socket.io-client')['io']>
+  }
+}

test/fixtures/xss/server/plugins/socket-io.ts

@@ -0,0 +1,43 @@
+import { Server as Engine } from 'engine.io'
+import { Server } from 'socket.io'
+
+export default defineNitroPlugin((nitroApp) => {
+  const engine = new Engine()
+  const io = new Server({
+    cookie: {
+      name: 'io',
+      httpOnly: true,
+      sameSite: 'lax',
+    },
+  })
+
+  io.bind(engine)
+  io.of('/').on('connection', (socket) => {
+    socket.on('id:req', async (cb: (response: { id: string } | { error: string }) => void) => {
+      console.log('requested ID')
+      cb({ id: 'some-id' })
+    })
+  })
+
+  nitroApp.router.use('/socket.io/', defineEventHandler({
+    handler(event) {
+      engine.handleRequest(event.node.req, event.node.res)
+      event._handled = true
+    },
+    websocket: {
+      open(peer) {
+        const nodeContext = peer.ctx.node
+        const req = nodeContext.req
+
+        // @ts-expect-error private method
+        engine.prepare(req)
+
+        const rawSocket = nodeContext.req.socket
+        const websocket = nodeContext.ws
+
+        // @ts-expect-error private method
+        engine.onWebSocket(req, rawSocket, websocket)
+      },
+    },
+  }))
+})

test/fixtures/xss/server/tsconfig.json

@@ -0,0 +1,3 @@
+{
+  "extends": "../.nuxt/tsconfig.server.json"
+}