From 474915cfe5f609d52d43d03f0d243356a277ec04 Mon Sep 17 00:00:00 2001
From: "Samuel EF. Tinnerholm" <samuel.tinnerholm@gmail.com>
Date: Sun, 24 May 2026 17:49:41 +0300
Subject: [PATCH] fix: validate parsed.method in ws-handler before use

Fixes #559
---
 core/src/server/ws-handler.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/core/src/server/ws-handler.ts b/core/src/server/ws-handler.ts
index 95d478cb..8cc53f17 100644
--- a/core/src/server/ws-handler.ts
+++ b/core/src/server/ws-handler.ts
@@ -255,8 +255,10 @@ export function createWebSocketHandler(
       const action = parsed.action as string | undefined;
       const exchange = parsed.exchange as string | undefined;
 
-      if (!id || !action || !exchange) {
-        sendError(ws, id, "Missing required fields: id, action, exchange");
+      const method = parsed.method as string | undefined;
+
+      if (!id || !action || !exchange || !method) {
+        sendError(ws, id, "Missing required fields: id, action, exchange, method");
         return;
       }
 
@@ -267,7 +269,7 @@ export function createWebSocketHandler(
           id,
           action: "subscribe",
           exchange: exchangeName,
-          method: parsed.method as string,
+          method,
           args: (parsed.args as unknown[]) || [],
           credentials: parsed.credentials as ExchangeCredentials | undefined,
         };
@@ -277,7 +279,7 @@ export function createWebSocketHandler(
           id,
           action: "unsubscribe",
           exchange: exchangeName,
-          method: parsed.method as string,
+          method,
           args: (parsed.args as unknown[]) || [],
         };
         handleUnsubscribe(ws, state, msg, exchangeName);