Limit amount of data in a message #107

Closed
davedoesdev opened this Issue Dec 9, 2013 · 5 comments

Comments

Projects
None yet
4 participants
Contributor

davedoesdev commented Dec 9, 2013

I'm thinking there may be a way of attacking a server by sending a very large message. Primus should drop the connection if too much data is being sent (which would result in large memory usage).
Maybe it already does this?

Owner

3rd-Eden commented Dec 9, 2013

I do know that there are some safeguards for this in Socket.IO which prevents people from using POST as an memory attack, but ws doesn't have any bytes restrictions. When sending a large message it would probably use fragmented frames for the message which ws will buffer, in memory before emitting a message event. So that could probably be leveraged as an attack.

einaros/ws#104

Contributor

STRML commented Dec 10, 2014

It looks as though faye-websocket does support such a limit, but I don't see any way to pass the maxLength property into Faye using Primus.

Member

lpinca commented Jul 24, 2016

This has been partially addressed in 5e996a6 and 8846739.
browserchannel and sockjs (when not using WebSocket) do not have an option to limit the maximum message size.

Contributor

davedoesdev commented Jul 27, 2016

Find to close then?

Member

lpinca commented Jul 27, 2016

Yes, I think it's fine to close this. I'm not sure if it's possible to fix the issue for the two transformers mentioned above (browserchannel and sockjs) but it's probably better to find a solution upstream if one exists.

@lpinca lpinca closed this Jul 27, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment