Comments (9)
I have a fix for it that carries the BUFFER_MAX size. Maybe that's too small.
I believe we might have a similar bug when reading headers: https://github.com/heroku/vegur/blob/master/src/vegur_client.erl#L388-L455 We should limit impose a limit on each pair.
from vegur.
Good catch!
from vegur.
A protection similar to what is enabled by this is what we'd probably need there, with a large value to prevent breaking anything.
from vegur.
Yeah. I did a small test that enforced the same limit but had a number of tests failing and decided to wait with it until the vegur_logging branch gets merged.
from vegur.
@ferd I looked into Pull Request #37 and it does not protect us agains a bad dyno sending a single header pair that might blow our memory usage. Since we split on \r\n
I could send a header of the following format:
HeaderKeyThatGoesOnForever
or
HeaderKey: InfinityLongString
and we would buffer it.
from vegur.
Good point. Further protection needs to be added there. The one I've added for cookies turns out to only block out possibly fair usage that would have killed the requests coming back into our system.
That should possibly be checked at https://github.com/heroku/vegur/blob/88890bb7dab96157d9b09bf6538275b2d5a35c4e/src/vegur_client.erl#L455-461 or maybe at the top of the loop itself, and we'll need to add tests. I'll try to do something about it this morning while I wait for reviews of benchmarks.
from vegur.
Limits put from the dyno in current stack:
- header name length: 1000 characters
- total header size/value size: >1MB, I hit gateway timeouts before 502s.
For this reason, I'm thinking we should set a large header value possible (512kb so we break nothing), keep the 1000 header length, and enforce an artificially low value for cookie values themselves to prevent DoS.
from vegur.
+1 on that design.
from vegur.
Handled in pull req #40
from vegur.
Related Issues (20)
- Reduce custom cowboy code dependencies HOT 3
- Detect Early Responses While Streaming Uploads HOT 1
- Open Sourcing checklist HOT 1
- The Via header isn't added on error pages HOT 2
- vegur_roundtrip_SUITE:large_chunked_request_response_interrupt has non-deterministic failures HOT 5
- Checkin callback has status 'connected' even if it never connected HOT 2
- Update vendored version of rebar3
- Document supported Erlang versions HOT 1
- Unused variable warnings in test/vegur_websockets_backend.erl
- "Warning: erlang:now/0: Deprecated BIF" in vegur_req_log_SUITE.erl and bench.erl
- Intermittent Travis failures in vegur_proxy_SUITE:request_keepalive_statistics
- Multiple test failures on Windows
- Server examples in README use zsh-specific syntax not compatible with bash
- Proxying to HTTPS backend HOT 3
- Bi-directional streaming? HOT 3
- How does vegur know this is a valid request? HOT 2
- Feature request: HTTP/2 support
- Streaming request / response server is unfairly penalised? HOT 16
- How to not expose `via` in header ? HOT 4
- Long dead but still used in production? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vegur.