Log solve request data transfer#4082
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the /solve endpoint to measure the duration of request body data transfer, which helps in diagnosing reported delays. The implementation correctly changes the endpoint to accept a raw HTTP request and streams the body to hyper::body::Bytes while timing the operation. However, this change introduces a critical security vulnerability. By processing the raw request body without a size limit, the service is exposed to a Denial of Service attack via memory exhaustion from an overly large request payload. My review includes a comment with a suggested fix to mitigate this vulnerability by applying a size limit to the request body.
squadgazzz
left a comment
squadgazzz
left a comment
There was a problem hiding this comment.
LGTM. Just a nit.
It smells like a gRPC API is a better successor for this communication, since I assume a lot of data are bytes-related in any case.
Co-authored-by: ilya <ilya@cow.fi>
4 participants
Description
Some solvers reported that some requests come significantly delayed (judging by the auction deadline). Currently we have no way to distinguish between receiving the start of the
/solverequest and streaming the actual data.This PR makes this possible by making the
solvehandler take a raw http request and stream the body afterwards.Changes
Instead of:
String(including utf8 check)Stringinto anArcto make copying it cheapSolveRequestWe now do:
BytestypeSolveRequestSince handling the raw request seems to bypass axum's request size checks I did it manually for this endpoint.
How to test
Existing tests should suffice