Skip to content
This repository

Support request limits #116

Closed
dtrebbien opened this Issue · 3 comments

3 participants

Daniel Trebbien Herbert Valerio Riedel Gregory Collins
Daniel Trebbien

The HTTP server/framework vulnerabilities that have been discovered recently underscore the importance of request limits. E.g.:

It would be nice if Snap server and Snap Framework supported limits on requests including:

  1. Request body limit – A limit on the Content-Length of a request, or, if the request is being sent chunked, a limit on the amount of data that will be read in (called LimitRequestBody by Apache).
  2. Limit on number of request headers (called LimitRequestFields by Apache)

    This is particularly important because snap-core parses the request headers into a Data.HashMap.Strict from unordered-containers. An attacker might be able to exploit knowledge of the hashing function used by Data.HashMap.Strict to carry out a hashDoS.

  3. Request header size limit – A per-header limit on the number of bytes that can be contained in the header (called LimitRequestFieldSize by Apache)

    If request headers are merged, then the limit needs to be applied to the merged header.

  4. Request line size limit – A limit on the length of the request line (called LimitRequestLine by Apache)
  5. Limit on number of request ranges – For a partial request, a limit on the number of non-overlapping ranges that may be requested (called MaxRanges by Apache)
  6. Restriction of URIs that are "rangeable" – A set of regular expressions or file globs that a URI must match in order to be requestable in ranges.
  7. Limit on the number of request parameters (framework limit) – A limit on the number of request parameters that will be parsed (called max_input_vars by PHP)

    Snap Framework is not vulnerable to the hashDoS attack described at Effective DoS attacks against Web Application Platforms – #hashDoS [UPDATE3] because it parses the request parameters into a Data.Map (ordered map). However, when a repeat parameter is encountered, the value of the repeated parameter is appended to the end of the list of ByteStrings for that parameter name, an O(n) operation. That might be exploitable if the same parameter name is used thousands of times.

  8. Max execution time limit (framework limit) – A limit on the number of seconds that may be used to send a response (called max_execution_time by PHP)
Herbert Valerio Riedel
Collaborator

fwiw, readRequestBody has a mandatory parameter for stating the maximum allowed body content-length of a HTTP request...

Gregory Collins
Gregory Collins
Owner

Closing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.