Destroy stream on exceeding maxContentLength (fixes #1098) #1485
Conversation
|
Are there updates on when this fix will be merged? |
|
Hi @rubennorte could you take a look ? |
|
Update on this one? https://snyk.io/test/npm/axios/0.18.0 |
|
@emilyemorehouse would you be able to review this when you get a chance? The DoS vulnerability was recently published on Snyk (https://snyk.io/vuln/SNYK-JS-AXIOS-174505) and may be causing some CI pipelines to fail |
|
Both Snyk and SourceClear (SC had it for quite some time): https://www.sourceclear.com/vulnerability-database/vulnerabilities/6130 |
|
Hello, Please correct me if I am wrong, but it looks like all that is needed here is a one line change that was submitted via a PR more than a year ago. It also looks like all tests have passed on that PR. I am very appreciative of the work that has gone into this project. I have quite a few projects of my own that depend on the awesome work contributed here. If there is additional work that needed to be done for this I would be happy and proud to pitch in. Is there a way we can get this PR merged and released to close the security vulnerability? I would really like to continue to use this project, but I have a responsibility to ensure that the projects that I maintain are free from vulnerabilities. Thank you for the continued efforts on this project and please let me know if there is something I can contribute to help close the vulnerability and add value to this project. |
|
Glad to see this is merged. Does anybody know when would be the next stable release? |
|
The latest build failed: https://travis-ci.org/axios/axios/jobs/529505165 |
|
There's a nested dependency with native code that doesn't seem to support Node 12. I'll make a PR to lower the Node version that the CI uses so that the rest of the build can run Edit: Opened PR #2138 |
|
As soon as CI is green, I'll issue a release! |
|
We've tried this code and there appears to be some situations where @emilyemorehouse i would not recommend releasing until this is addressed. |
|
I am sorry to say that I have experienced this issue as well:
|
|
Can we just wrap it in a null check before destroying? |
|
@Luidog @hughns out of curiosity I looked into this, and it looks like there's something wrong with the patch from Snyk if you try to use it with axios 0.18.0. If you look in your if (config.responseType === 'stream') {
response.data = stream;
settle(resolve, reject, response);
} else {
var responseBuffer = [];
stream.on('data', function handleStreamData(chunk) {
responseBuffer.push(chunk);
// make sure the content length is not over the maxContentLength if specified
if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) {
// stream.destroy() should have been added here
reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded',
config, null, lastRequest));
}
});
stream.on('error', function handleStreamError(err) {
if (req.aborted) return;
reject(enhanceError(err, config, null, lastRequest));
});
stream.on('end', function handleStreamEnd() {
var responseData = Buffer.concat(responseBuffer);
if (config.responseType !== 'arraybuffer') {
responseData = responseData.toString('utf8');
}
response.data = responseData;
settle(resolve, reject, response);
});
}
});
// Handle errors
req.on('error', function handleRequestError(err) {
if (req.aborted) return;
reject(enhanceError(err, config, null, req));
});
// Handle request timeout
if (config.timeout && !timer) {
timer = setTimeout(function handleRequestTimeout() {
req.abort();
reject(createError('timeout of ' + config.timeout + 'ms exceeded', config, 'ECONNABORTED', req));
}, config.timeout);
}
stream.destroy(); // <-- incorrectly added here
if (config.cancelToken) {
// Handle cancellation
config.cancelToken.promise.then(function onCanceled(cancel) {
if (req.aborted) return;
req.abort();
reject(cancel);
});
}So it seems like it's an issue with the Snyk patch, not axios itself. I sent a message to their support team to let them know |
|
Thanks @rajivshah3, working on remediating it. @hughns @Luidog have you experienced the no stream defined from applying the snyk patch or from the recent change merged to this repo? |
|
One more ping @rajivshah3 @hughns @Luidog - not sure which one of you uses the Snyk patch but heads up that we've updated it a couple of hours ago and if you re-run |
|
@rajivshah3 Well spotted! I should have added that this was via snyk (and that I have raised a ticket with snyk support too). We haven't tested with the 0.19.0-beta.1 release yet. @lirantal Yes, we saw the issue after the snyk patch was applied. The support ticket is https://support.snyk.io/hc/en-us/requests/445 |
|
Thanks for the quick response @lirantal ! The patch looks good now |
|
Great to hear, thanks for the update both! |
|
@lirantal, I did indeed used the original snyk patch which caused the test failures. I have rerun the |
|
Apologies if it's veering offtopic for this thread, but is there a mechanism to tell the Snyk folks when an issue has been remediated in a new release? |
|
@schmod you can always give us a ping through support@snyk.io or security@snyk.io. I'm happy to also take this offline with you through twitter (I'm at https://www.twitter.com/liran_tal) and be a source of contact or any other security related help I can provide |
Currently, axios won't destroy download stream on exceeding maxContentLength, which in some cases can lead to high cpu usage and subsequent denial of service.
Here is how it looks (200 MB file, limit is 20 MB):
It almost hangs nodejs process for ~30 seconds, spending all that ticks on handling already rejected download.
This PR adds
stream.destroy()(suggested in #1098), which is being called right before throwing an error about size limit.