Security: prevent DOS via maximum receive size enforcement #432
Description
Problem Description
In order to prevent DoS through large message sizes, having the gRPC server drop messages beyond a certain size is desirable.
I have not been able to find configuration or a code path that limits the size of the message consumed. There is a max_message_length parameter on GRPC.Message.to_data, but this does not seem to be used in the server code, nor do I see any maximum size limits enforced internally?
Expectation
- Some way to set a maximum per-message buffer limit
- Being able to set this to the size of the message in question would be fantastic, as a message that e.g. has 3 uint64s can be cut off a lot sooner than one with string buffers, etc.
- Being able to set max field sizes would also be incredibly useful, but I believe that is something more for the underlying
protobuflib. Still, having field sizes would allow calculation of the maximum bytes for a given message based on the route. I think this could be calculated at compile time in the__call_rpc__functions, so would have zero runtime performance impact?
If this is already supported ....
If this is already supported and I have simply missed it, apologies and then this would become a request to add the method to the documentation.
I'm happy to do that once I know how this is enforced in the library ;)
If not ...
If there are no (sane) max message reception limits enforced, then this really needs to be added in some form or another. Other gRPC server implementations have had CVEs lodged against them for this exact issue. I also know that without this, I will not be able to use this function in environments where all APIs must have message size limiting as a security checklist requirement (I work in such environments, so this is not so much theory as a known blocker.)
I'd also be happy to provide a PR once a decision on what to support can be made.
Thanks in advance for your attention to this matter!