From 129d3035f688f8f1c8a03d65e874e15860d21365 Mon Sep 17 00:00:00 2001
From: Anmol Sethi <hi@nhooyr.io>
Date: Wed, 7 Apr 2021 09:31:44 -0600
Subject: [PATCH 1/2] Fix DOS attack from malicious pongs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A double channel close panic was possible if a peer sent back multiple
pongs for every ping.

If the second pong arrived before the ping goroutine deleted its channel
from the map, the channel would be closed twice and so a panic would
ensue.

This fixes that by having the read goroutine send on the ping
goroutine's channel rather than closing it.

Reported via email by Tibor Kálmán @kalmant

Please update to the new release ASAP!
---
 conn_notjs.go | 2 +-
 read.go       | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/conn_notjs.go b/conn_notjs.go
index bb2eb22f..0c85ab77 100644
--- a/conn_notjs.go
+++ b/conn_notjs.go
@@ -189,7 +189,7 @@ func (c *Conn) Ping(ctx context.Context) error {
 }
 
 func (c *Conn) ping(ctx context.Context, p string) error {
-	pong := make(chan struct{})
+	pong := make(chan struct{}, 1)
 
 	c.activePingsMu.Lock()
 	c.activePings[p] = pong
diff --git a/read.go b/read.go
index afd08cc7..ae05cf93 100644
--- a/read.go
+++ b/read.go
@@ -271,7 +271,10 @@ func (c *Conn) handleControl(ctx context.Context, h header) (err error) {
 		pong, ok := c.activePings[string(b)]
 		c.activePingsMu.Unlock()
 		if ok {
-			close(pong)
+			select {
+			case pong <- struct{}{}:
+			default:
+			}
 		}
 		return nil
 	}

From b0d7a2712f3b3c9015a33065b556b6d75414d25a Mon Sep 17 00:00:00 2001
From: Anmol Sethi <hi@nhooyr.io>
Date: Wed, 7 Apr 2021 09:55:44 -0600
Subject: [PATCH 2/2] Fix CI

---
 ci/container/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ci/container/Dockerfile b/ci/container/Dockerfile
index fd008788..0c6c2a54 100644
--- a/ci/container/Dockerfile
+++ b/ci/container/Dockerfile
@@ -10,5 +10,5 @@ RUN go get golang.org/x/tools/cmd/stringer
 RUN go get golang.org/x/lint/golint
 RUN go get github.com/agnivade/wasmbrowsertest
 
-RUN npm install -g prettier
-RUN npm install -g netlify-cli
+RUN npm --unsafe-perm=true install -g prettier
+RUN npm --unsafe-perm=true install -g netlify-cli