support keys limit size and allow keys #29

Closed
wants to merge 2 commits into
from

Projects

None yet

2 participants

Owner
tj commented Dec 31, 2011

honestly i dont think anyone will use these settings, you would need to set them in so many places, and those security people even admitted they've never seen it done in practice

fengmk2 commented Dec 31, 2011

@visionmedia
If I use connect, I only put these settings into query and bodyParser middlewares if they support options argument.

e.g:

connect()
  .use(connect.query(options))
  .use(connect.bodyParser(options));

If a query string contain too many key-value pairs, and I dont want to set a request body size too small, I think these limit settings would be helpful.

fengmk2 commented Jan 1, 2012

@visionmedia
Out security member has just implement the "hash algorithm collision" in V8.

And test success in our nodejs web application using Express.

I will send the test codes to your email later, you can check it out.

Owner
tj commented Jan 1, 2012

im not saying it cant be done, there are many other attacks as well, im just saying they never even found it performed in practice. you could also do it with formidable, with json(), with urlencoded(), with querystring(), there are too many vectors to cover

@fengmk2 fengmk2 closed this Nov 25, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment