Replies: 3 comments
-
I will convert this to a discussion because I don't think there's anything actionable for Sinatra to do at this point. |
Beta Was this translation helpful? Give feedback.
0 replies
-
What web server did you use? puma/puma#3062 is included in Puma 6.1.0 and up |
Beta Was this translation helpful? Give feedback.
0 replies
-
In Puma 6.1.0 and up you also have puma/puma#3040 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
HTTP requests containing a large body can cause huge memory and CPU consumption on the server.
Sending a 4 GB body caused the Ruby process to grow over 40 GB in memory. (then swapping started)
This can be used by a malicious client to DOS attack the server!
It happens if the
Content-Type
suggests the body can be parsed by Rack.Bad example:
Content-Type: application/x-www-form-urlencoded
Good example:
Content-Type: application/octet-stream
These are just two example content types which reproduce good and bad behavior.
The content type must not even be wrong. The client might be sending 4 GB of
x-www-form-urlencoded
data.Details
In some way this is a problem of Rack. But Sinatra is invoking Rack to start the parsing. So I'm opening the issue here.
Stacktrace (captured via gdb
call (void)rb_backtrace()
on Debian-12-Testing / Bookworm):In
Rack::Request#POST
this is happening:parseable_data?
is true depending on theContent-Type
.Reproduction:
If the client adds
--header='Content-Type: application/octet-stream'
the problem will be avoided.Questions, Proposal, Related
Is there a way to disable this behavior in Sinatra?
So Sinatra won't ask Rack to parse the body.
When using pure Rack there's no automatic body parsing.
I guess either Sinatra or Rack should check the body size or limit the maximum number of bytes being parsed.
A simple solution would be to add a maximum number of bytes to the
read
call:Related: rack/rack#2049
Beta Was this translation helpful? Give feedback.
All reactions