fix(websocket): validate inline payload with current opcode

[mcollina]

This relates to...

WebSocket maxPayloadSize validation for inline (<=125 byte) frames.

Rationale

The inline payload-length path validated maxPayloadSize before storing the current frame opcode in parser state. This allowed stale opcode decisions across control/data frame transitions: a preceding control frame could make oversized data bypass the limit, and a preceding data frame could cause legal control frames to be counted toward the limit.

Changes

Features

N/A

Bug Fixes

• Validate inline payload lengths with the freshly parsed opcode.
• Add regression coverage for:
  • control frame followed by oversized inline data
  • valid inline data followed by a control frame

Breaking Changes and Deprecations

N/A

Status

• I have read and agreed to the Developer's Certificate of Origin
• Tested
• Benchmarked (optional)
• Documented
• Review ready
• In review
• Merge ready

Validation:

• node --test test/websocket/fragments.js test/websocket/permessage-deflate-limit.js test/websocket/permessage-deflate-config.js test/websocket/stream/too-many-fragments.js
• npm run lint

[mcollina]

cc @lpinca

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.36%. Comparing base (f4045b9) to head (344069e).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5432   +/-   ##
=======================================
  Coverage   93.36%   93.36%           
=======================================
  Files         110      110           
  Lines       36993    36993           
=======================================
  Hits        34537    34537           
  Misses       2456     2456           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lpinca]

Suggested change

	const socket = ws._socket
	// Ping frame followed by a 2-byte text frame. The text frame must be
	// validated as data, not as the previous control frame.
	socket.write(Buffer.from([0x89, 0x01, 0x78]))
	socket.write(Buffer.from([0x81, 0x02, 0x61, 0x62]))
	// The text frame must be validated as data, not as the previous control frame.
	ws.ping()
	ws.send('ab')

[lpinca]

Isn't it cleaner to customize the default test timeout?

[lpinca]

Suggested change

	const socket = ws._socket
	// 1-byte text frame at the limit followed by a 2-byte ping. The ping
	// must be validated as a control frame, not as the previous data frame.
	socket.write(Buffer.from([0x81, 0x01, 0x61]))
	socket.write(Buffer.from([0x89, 0x02, 0x78, 0x79]))
	// The ping must be validated as a control frame, not as the previous text frame.
	ws.send('a')
	ws.ping('xy')

I guess this is by design, but why is the limit ignored for control frames? If I set it 50 bytes, I would expect it to also apply for control frames.