From 873cce27b8f1b7900ea08c85b2d563ddd478a38a Mon Sep 17 00:00:00 2001
From: "Dayan C. Galiazzi" <galiazzi.dayan@gmail.com>
Date: Tue, 24 Aug 2021 19:55:32 -0300
Subject: [PATCH] fix(ext/http): websocket upgrade header check (#11830)

---
 cli/tests/unit/http_test.ts | 46 +++++++++++++++++++++++++++++++++++++
 ext/http/01_http.js         |  3 ++-
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/cli/tests/unit/http_test.ts b/cli/tests/unit/http_test.ts
index 0642a6d673..201ca12698 100644
--- a/cli/tests/unit/http_test.ts
+++ b/cli/tests/unit/http_test.ts
@@ -6,6 +6,7 @@ import { TextProtoReader } from "../../../test_util/std/textproto/mod.ts";
 import {
   assert,
   assertEquals,
+  assertThrows,
   assertThrowsAsync,
   deferred,
   delay,
@@ -705,6 +706,51 @@ unitTest(function httpUpgradeWebSocketMultipleConnectionOptions() {
   assertEquals(response.status, 101);
 });
 
+unitTest(function httpUpgradeWebSocketCaseInsensitiveUpgradeHeader() {
+  const request = new Request("https://deno.land/", {
+    headers: {
+      connection: "upgrade",
+      upgrade: "WebSocket",
+      "sec-websocket-key": "dGhlIHNhbXBsZSBub25jZQ==",
+    },
+  });
+  const { response } = Deno.upgradeWebSocket(request);
+  assertEquals(response.status, 101);
+});
+
+unitTest(function httpUpgradeWebSocketInvalidUpgradeHeader() {
+  assertThrows(
+    () => {
+      const request = new Request("https://deno.land/", {
+        headers: {
+          connection: "upgrade",
+          upgrade: "invalid",
+          "sec-websocket-key": "dGhlIHNhbXBsZSBub25jZQ==",
+        },
+      });
+      Deno.upgradeWebSocket(request);
+    },
+    TypeError,
+    "Invalid Header: 'upgrade' header must be 'websocket'",
+  );
+});
+
+unitTest(function httpUpgradeWebSocketWithoutUpgradeHeader() {
+  assertThrows(
+    () => {
+      const request = new Request("https://deno.land/", {
+        headers: {
+          connection: "upgrade",
+          "sec-websocket-key": "dGhlIHNhbXBsZSBub25jZQ==",
+        },
+      });
+      Deno.upgradeWebSocket(request);
+    },
+    TypeError,
+    "Invalid Header: 'upgrade' header must be 'websocket'",
+  );
+});
+
 unitTest({ perms: { net: true } }, async function httpCookieConcatenation() {
   const promise = (async () => {
     const listener = Deno.listen({ port: 4501 });
diff --git a/ext/http/01_http.js b/ext/http/01_http.js
index b14a0d3528..073cc7a7c7 100644
--- a/ext/http/01_http.js
+++ b/ext/http/01_http.js
@@ -341,7 +341,8 @@
   const _ws = Symbol("[[associated_ws]]");
 
   function upgradeWebSocket(request, options = {}) {
-    if (request.headers.get("upgrade") !== "websocket") {
+    const upgrade = request.headers.get("upgrade");
+    if (!upgrade || StringPrototypeToLowerCase(upgrade) !== "websocket") {
       throw new TypeError(
         "Invalid Header: 'upgrade' header must be 'websocket'",
       );