New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change default decoder limits #295
Comments
To avoid DoS attack, make default size limit smaller. Fixes #295
Hmmm, is there any chance this can be reverted? I think this is breaking a lot of code that has legitimate uses for larger messages than 1 MiB. It certainly caused surprising crashes for me, and I guess I'm not alone. I do appreciate the DoS issue though. Maybe it would be possible to not allocate the memory for the string/bin/ext until all the data is present? Like store all the chunks of data in a boring old Python list until the length of all the components of the list add up to the length that was promised? I haven't looked at the implementation at all to know if that even makes sense or would be possible. Or maybe add a special case for when all the data to pack/unpack is already present? These ideas are based on the understanding that the attack vector is something like: someone sends you data (maybe over a socket, maybe from a file) that says they are giving you a 2 GiB EXT message, but then they give you nothing else. So they can do minimal work and make you allocate tons of memory. If the data actually is present, that seems like less of an issue. On a related note, it would be really nice if the docs could be updated to the latest version that incorporates these changes; when reading the docs (which are currently for 0.5 on readthedocs if I'm looking at the right thing) it still shows 2**32 - 1 as the max size. It took me a bit to realize I was looking at the wrong version. Thanks for the great library! |
I guess my idea about waiting for all the data doesn't work for array and map types though, since the data needs to be parsed to figure out when it's all present for those types. |
A migration guide would certainly go a long way to help devs update their code for upcoming versions. |
One more idea: we could have a kwarg If you are interested in this, I would be willing to attempt a PR in the next couple weeks. |
It means many people doesn't aware Of course, I know there are many applications they are not relating to DoS attack.
It is not practical because it will kill performance, or introduce a lot of code (and bugs) I don't want maintain.
I'm really sorry. I didn't notice the doc isn't updated automatically. |
Sorry, I can't understand this English. |
I dislike the idea. I don't want to add any more options unless strictly required. |
I came up with an idea to mitigate the pain.
For Unpacker, |
Thanks for the feedback @methane.
That's fair.
This is the same problem I was trying to solve. From my perspective, the various Ping me back if you don't have the time or desire to implement it and I will give it a try. Side note: Does it even make sense to have the |
After "auto" is implemented, the removal can be considered. |
Makes sense to me. |
Has anyone ever had a DoS attack that this even helps mitigate? Is anyone exposing messagepack interfaces to untrusted inputs? This sounds like a solution in search of a problem. If you're going to add a interface for handling untrusted inputs, don't just overwrite the current API with one that will no longer work in a lot of cases. Adding a separate unpacker like
Right now, you have four knobs I have to set. And I'm in a context where both ends are my code, the transport is SSL wrapped, and a DoS is not a concern at all. The whole "unpack limit" thing in general is silly for my use case (and probably most others). Honestly, I'd be most in support of just getting rid of it entirely. If people need to worry about DoS attacks, they can just look at the size of the string they're shoving into the unpacker. |
RPC is one of the usage msgpack is designed for. (See this article)
Four knobs for four thing. It's orthological. |
Only five bytes input (e.g. |
Well, huh. Never mind, then. |
Current default limits seems too large. It can cause DoS attack.
Change default value to more safe value.
Current plan is "about 1MiB on amd64 system".
max_bin_len
: 1024*1024max_str_len
: 1024*1024max_array_len
: 1024*1024/8 (each pointer has 8 bytes)max_map_len
: 1024*1024/32 (8byte key,hash,value, and some extra space)The text was updated successfully, but these errors were encountered: