jcayzac
jcayzac11mo ago

std/http/server: URI too long —how to avoid loading those?

Using https://deno.land/std@0.194.0/http/server.ts, is there a way to reject long URIs before they are loaded in memory? I have a middleware that responds with 414 URI Too Long when the URI length is > 8192, but this only saves me from the cost of parsing that thing —it's still already loaded in memory even if it's 1MB in size. How can I get the server to close the connection when the URI grows beyond 8k instead?
5 Replies
porridgewithraisins
Ngl I've never seen someone handle a 416 uri too long. :p. I wouldn't worry about it in your case. Whatever low level http library is anyways loading it into memory and giving that to you. Unless you change the max length down there it won't matter. Also, I'm sure the underlying http implementation already has a reasonable limit for uri length
jcayzac
jcayzac11mo ago
Well it does not. I tried hitting my server with URIs a few megabytes long and they got loaded into memory and passed to my handler. This seems to make it super easy to DoS any Deno server (unless of course it's behind a reverse proxy that offers that protection, but then it should be written in big red ink somewhere that Deno isn't suitable for serving things directly)
jcayzac
jcayzac11mo ago
HTTP Routing | Heroku Dev Center
HTTP routing on the Common Runtime has an HTTP stack supporting HTTP 1.1, a rolling timeout mechanism, and multiple simultaneous connections.
jcayzac
jcayzac11mo ago
If no size constraint can be put on request elements (URI, header names, header values, cookies...), then Deno cannot be used in any internet-facing application, and only behind other servers that do support these.
porridgewithraisins
Oh wow, that sounds pretty important then. Try tagging some deno contributors and see what they have to say