fix: cap websocket message buffering and remove stale websocket entries by CypherPotato · Pull Request #42 · sisk-http/core

CypherPotato · 2026-05-25T17:19:12Z

A previous WebSocket receive rewrite accumulated entire fragmented messages into memory with no size cap, allowing a remote client to trigger unbounded memory growth.
Disposal behavior no longer unregistered sockets, and collection operations disposed sockets without removing them, leaving stale entries that can amplify resource exhaustion.

Enforced a maximum WebSocket message size in HttpWebSocket.ReceiveInternalAsync by reading request.baseServer.ServerConfiguration.MaximumContentLength and treating non-positive values as unlimited (Int32.MaxValue).
Added an early termination path that closes the socket with WebSocketCloseStatus.MessageTooBig and calls CloseAsync when an in-progress fragmented message would exceed the configured maximum before writing more data into the accumulator.
Fixed HttpWebSocketConnectionCollection.RegisterWebSocket to remove duplicate identified sockets from the internal _ws list before disposing them to avoid leaving stale references.
Fixed HttpWebSocketConnectionCollection.DropAll() to clear _ws and then dispose the previous entries so disposed sockets are not retained in the collection.

Ran dotnet test src/Sisk.Core.csproj -v minimal and the project tests/build succeeded.
Running dotnet test from the repository root fails when no solution/project file is specified, so the targeted project test was used and completed successfully.

fix: bound websocket receive size and cleanup ws collection

21accfd

CypherPotato added codex aardvark labels May 25, 2026 — with ChatGPT Codex Connector

CypherPotato merged commit 2354f6f into main May 25, 2026
3 of 5 checks passed

Provide feedback