liz/veilid
liz/veilid
1
0
Fork 0
Code Pull Requests Packages Releases Activity

Merge branch 'address-localhost-disk-consumption-attack' into 'main'

Browse Source 
Avoid large logs of 127.0.0.1:5959 attack payloads

See merge request veilid/veilid!158
This commit is contained in:
Christien Rioux 2023-09-03 00:32:29 +00:00
commit 64d9f456ce
No known key found for this signature in database
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
veilid-server/src/client_api.rs
View File

@ -15,6 +15,8 @@ use veilid_core::tools::*;
use veilid_core::*; use veilid_core::*;
use wg::AsyncWaitGroup; use wg::AsyncWaitGroup;
const MAX_NON_JSON_LOGGING: usize = 50;
cfg_if! { cfg_if! {
if #[cfg(feature="rt-async-std")] { if #[cfg(feature="rt-async-std")] {
use async_std::io::prelude::BufReadExt; use async_std::io::prelude::BufReadExt;
@ -201,12 +203,21 @@ impl ClientApi {
jrp: JsonRequestProcessor, jrp: JsonRequestProcessor,
request_line: RequestLine, request_line: RequestLine,
) -> VeilidAPIResult<Option<RequestLine>> { ) -> VeilidAPIResult<Option<RequestLine>> {
let line = request_line.line; let line = request_line.line.trim_start();
// Avoid logging failed deserialization of large adversarial payloads from
// http://127.0.0.1:5959 by using an initial colon to force a parse error.
let sanitized_line = if line.len() > MAX_NON_JSON_LOGGING && !line.starts_with("{") {
":skipped long input that's not a JSON object".to_string()
} else {
line.to_string()
};
let responses_tx = request_line.responses_tx; let responses_tx = request_line.responses_tx;
// Unmarshal NDJSON - newline => json // Unmarshal NDJSON - newline => json
// (trim all whitespace around input lines just to make things more permissive for API users) // (trim all whitespace around input lines just to make things more permissive for API users)
let request: json_api::Request = deserialize_json(&line)?; let request: json_api::Request = deserialize_json(&sanitized_line)?;
// See if this is a control message or a veilid-core message // See if this is a control message or a veilid-core message
let response = if let json_api::RequestOp::Control { args } = request.op { let response = if let json_api::RequestOp::Control { args } = request.op {