Fix Socket Mode builtin WebSocket masked payload unmasking (RFC 6455)#1858
Open
beejak wants to merge 1 commit intoslackapi:mainfrom
Open
Fix Socket Mode builtin WebSocket masked payload unmasking (RFC 6455)#1858beejak wants to merge 1 commit intoslackapi:mainfrom
beejak wants to merge 1 commit intoslackapi:mainfrom
Conversation
The masked-payload branch incorrectly used range(data_to_append) on bytes and attempted in-place XOR on an immutable bytes object. Unmasking now uses a bytearray per RFC 6455. Added a short comment that SHA-1 in Sec-WebSocket-Accept is required by RFC 6455 section 1.3. Made-with: Cursor
|
Thanks for the contribution! Before we can merge this, we need @beejak to sign the Salesforce Inc. Contributor License Agreement. |
WilliamBergamin
requested changes
Apr 24, 2026
Contributor
WilliamBergamin
left a comment
WilliamBergamin
left a comment
There was a problem hiding this comment.
Hi @beejak thanks for your interest and contribution 💯
There seems to be other improvement that could be made in this area before we can merge this
- the type hinting around
current_mask_keyis currently astrbut should probably bebytes - The change to
bytesmight cause some downstream changes/improvements - We should also add unit tests that specifically cover this area, currently it is not covered
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This change fixes the masked WebSocket frame handling path in the builtin Socket Mode client (
slack_sdk/socket_mode/builtin/internals.py).The previous code used
range(data_to_append)wheredata_to_appendisbytes(invalid in Python 3) and attempted in-place XOR on an immutablebytesobject. Per RFC 6455, masking XORs octets; unmasking is now implemented with abytearrayandrange(len(...)).A short comment was also added in
_validate_sec_websocket_accept: SHA-1 forSec-WebSocket-Acceptis required by RFC 6455 section 1.3, not a discretionary hash upgrade to SHA-256.Verification
(2 passed locally.)
Context
Servers normally send unmasked frames to clients; the masked branch is uncommon but should be correct for compliance and tests that exercise masked server frames.