Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename and clarify the body.collect(upTo:) API which gets used in an insecure way all the time #745

Open
weissi opened this issue Jun 21, 2024 · 1 comment
Open

Rename and clarify the body.collect(upTo:) API which gets used in an insecure way all the time #745

weissi opened this issue Jun 21, 2024 · 1 comment

Comments

@weissi
Copy link
Contributor

weissi commented Jun 21, 2024
edited
Loading

We see code similar to this a lot

let expectedBytes = response.headers.first(name: "content-length").flatMap(Int.init) ?? 1024 * 1024
return Response(status: response.status, buffer: try await response.body.collect(upTo: expectedBytes))

The above code doesn't make any sense because it essentially says

Read as many bytes as you want into memory

This of course can lead to very bad scenarios because the content-length is controlled by the attacker. Furthermore, it's a lot of code to spell the ~equivalent of

return Response(status: response.status, buffer: try await response.body.collect(upTo: Int.max))

And just to be clear, we do not have to check content-length here. The content length is correct, or else NIO would've spotted that and sent an error instead (like illegal EOF condition if it ended prematurely or so).

But let's get to fixing this:

Goals:

  • Reasonable (fixed-sized limit) code should look good and be discoverable without reading much documentation
  • Unreasonable code should be possible but awkward using some word that conveys the danger of what's happening
  • Not overcomplicated

Ideas:

  • Put a reasonable default limit (e.g. 4MB) on there. So body.collect() would be safe
  • Make it clear in the docs that streaming should always be preferred. For example to save something to disk or proxy it, collect(...) should not be used. Only for JSON/protobuf/image/... decoding that needs to happen in memory we should use it
  • Instead of Int use a new type that can be constructed with integer literals or (and thanks to @hamzahrmalik for the idea) using some .init(watchOutWhatYourAreDoingIsDangerous: Int)

Maybe

  • body.collectIntoMemory() -- safe: up to 4 MB
  • body.collectIntoMemory(maximumSize: .megabytes(16)) -- safe: up to 16 MB
  • body.collectIntoMemory(maximumSize: .bytes(contentLength)) -- compiler error: expected type BodySize, actual type Int
  • body.collectIntoMemory(maximumSize: .bytes(BodySize(dangerousCalculatedSizeInBytes: contentLength)) -- unsafe but compiles
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@weissi @FranzBusch