Should gorilla/schema care about DoS attacks?

[moraes]

I'll leave this IRC conversation as a quick request for feedback:

<pepee> honestly, this is still making me nervous:  http://www.gorillatoolkit.org/pkg/schema
<moraes> pepee, why?
<pepee> moraes, what if you pass a very long slice? or a long field in a form, etc.
<moraes> peppee, that's an interesting issue. probably not out of scope for the package.
<moraes> or for those kinds of attacks you shouldn't even touch request data
<moraes> pepee, so: 1. server check (413 status); 2. gorilla/schema could apply a limit tag
<pepee> moraes, yeah, there should be ways of limiting input, at least for the slices
<moraes> i will open an issue
<pepee> they should at least indicate that in the docs
<pepee> "make sure you sanitize your inputs, your user could be sending long strings, blah blah"
<moraes> yup.

The question is: Should gorilla/schema care about DoS attacks, at all? Or this is out of scope and should be handled in the server level or at most before submitting data to the package?

[elithrar]

gorilla/schema could do that: but I'd argue that we'd be introducing another toggle that doubles up with net/http's ParseForm. That limits the request size to 10MB by default and MaxBytesReader provides the dial to tweak this. I'm not convinced that schema should take on that responsibility and/or potentially confuse package users (what if schema's limit is greater than the servers?)

There may be value in mentioning it in the docs, but we'd just be reiterating that the 10MB default limit exists.

[stale]

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.