Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

no way to interrupt incoming messages (eg. data of a remote function call) #41

Closed
tommedema opened this issue Apr 9, 2011 · 2 comments
Closed

no way to interrupt incoming messages (eg. data of a remote function call) #41

tommedema opened this issue Apr 9, 2011 · 2 comments

Comments

@tommedema
Copy link

If a client calls a remote function on the server, there is no way to interrupt this stream of data from the client to the server.

In essence, a function call acts "synchronous" because the server waits for the clients to finish sending all parameters and then executes it on the server.

This means that a client can send huge piles of data within a function to a server, causing the stream to take up way too many resources and be too time intensive.

Thus, it has to be possible to validate incoming streams and be able to kill the connection if too much data is being send.
@ericz
Copy link
Contributor

ericz commented Apr 9, 2011

Hey tom,

Yes this is a fix that we should be implementing ("validate incoming streams" and kill it if it is sending too much data to prevent overuse of server resources).

If you made a function call with a giant amount of parameter data, this won't be synchronous however because the transfer of that data and storing it in memory on the server is all asynchronous. The server will not wait synchronously for the parameters of a function to load fully. That function will simply be called after all data is loaded into memory. The only process there that is synchronous is the deserialization, which may be a problem.

However the issue is still that the memory can be swamped as that data WILL be stored in memory.

Excellent point. I didn't think of this method in our previous discussions.

@ericz
Copy link
Contributor

ericz commented May 19, 2011

This might not be possible.

Socket.io exposes incoming data not as a stream but as discrete messages. Any validation we write would have to be after the message has been accepted. We could possibly intercept a malicious message before it gets JSON.parsed which would save us some time but even then the damage to memory use would've occured.

Socket.io v0.7 will be exposing lower level things like the parser so that will be easy to implement (will not have to fork socket.io) in the new version.

In any case this is really more of a socket.io issue so I am closing for now.

Thanks for the issue tom.

@ericz ericz closed this as completed May 19, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericz @tommedema