jcayzac
jcayzac12mo ago

std/http/server: URI too long —how to avoid loading those?

Using https://deno.land/std@0.194.0/http/server.ts, is there a way to reject long URIs before they are loaded in memory? I have a middleware that responds with 414 URI Too Long when the URI length is > 8192, but this only saves me from the cost of parsing that thing —it's still already loaded in memory even if it's 1MB in size. How can I get the server to close the connection when the URI grows beyond 8k instead?
5 Replies
porridgewithraisins
porridgewithraisins12mo ago
Ngl I've never seen someone handle a 416 uri too long. :p. I wouldn't worry about it in your case. Whatever low level http library is anyways loading it into memory and giving that to you. Unless you change the max length down there it won't matter. Also, I'm sure the underlying http implementation already has a reasonable limit for uri length
jcayzac
jcayzac12mo ago
Well it does not. I tried hitting my server with URIs a few megabytes long and they got loaded into memory and passed to my handler. This seems to make it super easy to DoS any Deno server (unless of course it's behind a reverse proxy that offers that protection, but then it should be written in big red ink somewhere that Deno isn't suitable for serving things directly)
jcayzac
jcayzac12mo ago
Some example validation out in the wild: https://devcenter.heroku.com/articles/http-routing#http-validation-and-restrictions
HTTP Routing | Heroku Dev Center
HTTP routing on the Common Runtime has an HTTP stack supporting HTTP 1.1, a rolling timeout mechanism, and multiple simultaneous connections.
jcayzac
jcayzac12mo ago
If no size constraint can be put on request elements (URI, header names, header values, cookies...), then Deno cannot be used in any internet-facing application, and only behind other servers that do support these.
porridgewithraisins
porridgewithraisins12mo ago
Oh wow, that sounds pretty important then. Try tagging some deno contributors and see what they have to say
More Posts
Worker: TS2304 [ERROR]: Cannot find name 'postMessage'When type-checking a worker script that uses the global `postMessage()` method, `deno check` gives aHow to recover from worker death? It terminates my main program…In the error message handler, I replace the dead worker with a new one, but it kills my program eithIs there anyone using kv with pentagon ORM and Zod ?I've tried using pentagon for Deno kv in a Fresh project, and it seems like it's not working.Prefix Kv keys with a base partCurrently I add `base()` to all keys: ``` kv.set([base(), "foo"], value) ``` Instead of manually adCaching old versionsWhy is deno caching old versions even tho the version is specifieddeno check: Module '"internal:///missing_dependency.d.ts"' has no exported member...The sequence of events: - Upgraded to Deno 1.35.0 - ran `deno check` on my code - got an error like cargo compile size 160MWhen using `cargo install deno` the result is 160M, if there's info on shrinking this somewhere pleaDeno type enforcementHey, I have a question about the type checking. ```ts function logging(message : number) { consoAvoiding use-after-freeI encountered a use-after-free issue when writing an FFI binding. The code looks like this. ```ts coDNS Records and Denoso I am confused I'm building an application that uses Steam's web API and am looking at why the res