from Hacker News

Watch out for DoS when using Rust’s Hyper package

by simjue on 1/7/23, 8:41 AM with 19 comments

  • by seeekr on 1/7/23, 9:18 AM

    I'm confused by the fact that there's no mention of interaction with the Hyper project's authors. I'm fairly certain that Sean & contributors will want to address the underlying issue, if they haven't already done so (clearly they were describing the potential for misusing the Hyper API very directly in the docs!), and pointing that out and clearly stating when and how that has been or will be addressed would shine a much more positive light on everyone, including the security researchers.

    I see that there's an 1.0 RC release and the offending API seems to have changed and is probably not amenable to this type of misuse any more. The article authors could have easily added some info about that -- I certainly would have appreciated not having to go looking for that myself.

  • by keybored on 1/7/23, 9:53 AM

    > single Bytes buffer, for example the following unsafe usage

    Highlighting “unsafe” in red in an article about a Rust package when talking about something which is not Unsafe is so cursed.

  • by lovasoa on 1/7/23, 3:13 PM

    Maybe there shouldn't be a

        to_bytes(body) -> Bytes
    function at all ?

    Only a

        to_bytes(body: B, max_size: Option<usize>)
    This way if someone REALLY wants the behavior that potentially results in a crash, they still have access to it, but have to be really explicit about it.

  • by jedisct1 on 1/7/23, 1:35 PM

    Rouille, another Rust HTTP server, can also trivially be DOS'd by sending a Content-Length that doesn't match the actual content length.

    But HTTP implementations like these are not really meant to directly face the internet. They usually sit behind reverse proxies/API gateways/CDNs.

  • by jayjader on 1/7/23, 9:06 AM

    Good to see public sharing not only of such a problem, but also how to fix it in your own code.

    I am a bit disconcerted that something that apparently is warned against in the docs, is done across several "big" packages that use Hyper. Maybe with a more appropriate name exposed by the library, for example `to_bytes_unchecked`, such "bad" uses would be less wide-spread.

  • by sbt567 on 1/7/23, 9:23 AM

  • by qprofyeh on 1/7/23, 9:20 AM

    I assume most production environments will run a reverse proxy like nginx which have sensible defaults. Good find nonetheless. Should be patched by Hyper.

  • by curling_grad on 1/7/23, 1:38 PM

    Will falliable allocations help eliminate these kinds of DoS vulnerabilities?

    AFAIK there's a proposal: https://rust-lang.github.io/rfcs/2116-alloc-me-maybe.html

  • by habibur on 1/7/23, 9:40 AM

    Another relatively safe strategy : Don't buffer http data on server. Read a limited sized header and then stream the body to its request handler.

  • by throwaway67743 on 1/7/23, 11:54 PM

    Recently on HN: nothing can ever happen in rust it's impossible to write bad code

  • by baq on 1/7/23, 11:09 AM

    What's interesting to me is we've known about these class of API misdesign issues since gets(3)... sometimes convenient and ergonomic is really not the right way to do it.