Skip to content

Remove legacy WebRole debug proxy component#2549

Open
lucygramley wants to merge 1 commit into
mainfrom
fix/mythos-2982592-delete-webrole
Open

Remove legacy WebRole debug proxy component#2549
lucygramley wants to merge 1 commit into
mainfrom
fix/mythos-2982592-delete-webrole

Conversation

@lucygramley
Copy link
Copy Markdown
Contributor

@lucygramley lucygramley commented May 18, 2026
edited
Loading

Summary

Removes the entire WebRole debug proxy component:

  • ADO#2982592 (NTVS-003, CWE-306) — WebSocket proxy exposes V8 debug port with no authentication
  • ADO#2982593 (NTVS-004, CWE-79) — HtmlDecode/HtmlEncode inversion enables stored XSS in viewlog page
  • ADO#2982594 (NTVS-005, CWE-400) — Unbounded static StringWriter enables memory-exhaustion DoS

Why delete instead of fix?

The WebRole component implements a WebSocket-to-V8-debug-port proxy targeting
ode --debug\ (port 5858). This protocol was removed in Node.js 8 (2017) — the component is non-functional with any modern Node.js version. Deleting it eliminates ~570 lines of unmaintained attack surface rather than patching dead code.

What's removed

  • \Nodejs/Product/WebRole/\ directory (7 files)
  • WebRole project from \NodejsTools.sln\
  • ProjectReference from \Nodejs.csproj\ and \TargetsVsix.csproj\
  • PostBuildEvent that copied \Microsoft.NodejsTools.WebRole.dll\
  • \NtvsDebugProxy\ handler + rewrite rules from all 6 \Web.Debug.config\ templates
  • Legacy
    ode --debug\ flag from iisnode config transforms

Verification

  • No other code references the WebRole assembly — searched for \Microsoft.NodejsTools.WebRole, \WebSocketProxy, \WebSocketProxyBase\ across the entire repo. Zero hits outside the deleted files and cleaned-up configs.
  • The component was only loaded by IIS at Azure deployment time (via handler registration in Web.Debug.config), never during local VS operation.
  • All npm UI, project system, test adapter, and debugging features are unaffected.

@lucygramley
Remove legacy WebRole debug proxy component
ce38f36 
Delete the entire WebRole directory and all references to it. The
WebRole component implements a WebSocket-to-V8-debug-port proxy that
has multiple security issues (NTVS-003/004/005):
- No authentication beyond a source-controlled GUID (CWE-306)
- HtmlDecode/HtmlEncode inversion enabling stored XSS (CWE-79)
- Unbounded static log buffer enabling memory exhaustion DoS (CWE-400)

The legacy V8 --debug protocol (port 5858) was removed in Node.js 8
(2017), making this component non-functional with any modern Node.js.

Changes:
- Delete Nodejs/Product/WebRole/ directory
- Remove WebRole project from NodejsTools.sln
- Remove ProjectReference from Nodejs.csproj and TargetsVsix.csproj
- Remove PostBuildEvent that copied WebRole DLL
- Remove NtvsDebugProxy handler and rewrite rules from all
  Web.Debug.config templates (product + test)
- Remove legacy node --debug flag from iisnode config transforms

Fixes ADO#2982592 (NTVS-003), also resolves ADO#2982593 (NTVS-004)
and ADO#2982594 (NTVS-005)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lucygramley lucygramley changed the title Remove legacy WebRole debug proxy component (ADO#2982592, #2982593, #2982594) Remove legacy WebRole debug proxy component May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lucygramley