New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit post size to help against DoS attacks #446

Closed
alessioalex opened this Issue Dec 29, 2011 · 4 comments

Comments

Projects
None yet
3 participants
@alessioalex
Copy link

alessioalex commented Dec 29, 2011

This won't solve the problem completely, but it would help.

Read more about this problem here:

http://www.ocert.org/advisories/ocert-2011-003.html
http://www.youtube.com/watch?v=R2Cq3CLI6H8

The Socket.IO guys already made a commit for this a month ago:

socketio/socket.io@a7f45fe

I think we should be able to specify a max post size and the bodyParser should kill what exceeds that. The implementation should probably be done in the file: https://github.com/senchalabs/connect/blob/master/lib/middleware/json.js

@tj

This comment has been minimized.

Copy link
Member

tj commented Dec 29, 2011

we have limit() for this, which works for any request body. Even without this specific issue you could exhaust resources reasonably easily without some form of limiting

@tj tj closed this Dec 29, 2011

@alessioalex

This comment has been minimized.

Copy link

alessioalex commented Dec 29, 2011

Can you please elaborate? I couldn't find any limit() function in the source code, and in node-formidable I only saw incomingForm.maxFieldsSize. Thanks

@tj

This comment has been minimized.

@Raynos

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment