fix the server crashing due a malformed json in websocket message (#5920)

You can verify it using: ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Media API PoC</title> </head> <body> <h1>Media API Cross-Site WebSocket Hijacking PoC</h1> <script> let ws = new WebSocket("wss://<url + base path>/api/poc"); ws.onopen = function () { console.log("WebSocket connection established."); ws.send("Malformed JSON"); }; </script> </body> </html> ```
2026-01-23 02:25:07 +00:00 · 2025-08-28 22:33:05 +02:00 · 2025-08-28 22:33:05 +02:00 · 7e5acf105f
commit 7e5acf105f
parent d4bdb463c1
2 changed files with 13 additions and 4 deletions
--- a/.changeset/afraid-cobras-fix.md
+++ b/.changeset/afraid-cobras-fix.md
@ -0,0 +1,5 @@
+---
+"@uppy/companion": patch
+---
+
+fix the server crashing due a malformed json in a websocket message
--- a/packages/@uppy/companion/src/server/socket.js
+++ b/packages/@uppy/companion/src/server/socket.js
@ -73,10 +73,14 @@ export default function setupSocket(server) {
    })

    ws.on('message', (jsonData) => {
-      const data = JSON.parse(jsonData.toString())
-      // whitelist triggered actions
-      if (['pause', 'resume', 'cancel'].includes(data.action)) {
-        emitter().emit(`${data.action}:${token}`)
+      try {
+        const data = JSON.parse(jsonData.toString())
+        // whitelist triggered actions
+        if (['pause', 'resume', 'cancel'].includes(data.action)) {
+          emitter().emit(`${data.action}:${token}`)
+        }
+      } catch (err) {
+        logger.error(err, 'websocket.error', Uploader.shortenToken(token))
      }
    })