Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit maximum response size #1259

Closed
kornelski opened this issue Aug 7, 2017 · 9 comments
Closed

Limit maximum response size #1259

kornelski opened this issue Aug 7, 2017 · 9 comments

Comments

@kornelski
Copy link
Contributor

Superagent buffers and uncompresses responses in memory. Malicious server could send extremely large response causing superagent to use excessive amounts of memory.

I suggest adding a way to set a maximum response size, and have a default limit set.
This was referenced Sep 27, 2017
Closed
Closed
@letsgolesco
Copy link

letsgolesco commented Sep 27, 2017
edited
Loading

Heads up, this is blocking my company's CI builds - would appreciate a speedy fix if it's possible.

Edit: see https://nodesecurity.io/advisories/479

@kornelski
Copy link
Contributor Author

Could you help by making a pull request?

@tripu tripu mentioned this issue Sep 27, 2017
Merged
@walshie4
Copy link

I'm in to help, breaking our builds as well (for the time being @letsgolesco you can use a .nsprc file to ignore this advisory). I'll report back with any progress.

@westy92
Copy link

westy92 commented Sep 27, 2017

To ignore for now, add the following to an .nsprc file:

{
  "exceptions": ["https://nodesecurity.io/advisories/479"]
}

@luisrudge luisrudge mentioned this issue Sep 29, 2017
Closed
This was referenced Oct 9, 2017
Closed
Closed
Closed
@stephenmathieson stephenmathieson mentioned this issue Oct 13, 2017
Closed
@kornelski
Copy link
Contributor Author

Fixed in v3.7.0

@modosc modosc mentioned this issue Oct 19, 2017
Merged
crookedneighbor pushed a commit to crookedneighbor/amplitude that referenced this issue Oct 19, 2017
@modosc @crookedneighbor
Update package.json (#55)
e59725b 
update superagent dependency to ensure security fix:

ladjs/superagent#1259
https://nodesecurity.io/advisories/479
@edmorley
Copy link

This is still showing on https://nodesecurity.io/advisories/479 as not fixed, so I've dropped them an email to update the advisory :-)

@chrisfosterelli
Copy link

It's updated now 🎉

@ir-fuel
Copy link

ir-fuel commented Dec 5, 2019

Can someone point me to where it is explained how to set a maximum response size? I would like to download more than 200MB, but I can't find how to specify a bigger number.

@Enet4
Copy link

Enet4 commented Jul 13, 2020

In case someone stumbles upon this issue, the maximum response size can be changed via the method maxResponseSize.

superagent.get(url)
    .maxResponseSize(4000000000)

@tiberiuichim tiberiuichim mentioned this issue Jan 4, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@kornelski @westy92 @edmorley @walshie4 @ir-fuel @chrisfosterelli @letsgolesco @Enet4