https://kotlinlang.org logo
Join Slack
Powered by
Is it possible for a server to protect from a mali...
# http4k
m
Is it possible for a server to protect from a malicious client sending humongous requests? And for a client to protect from a malicious server sending humongous responses? I tried to simulate this, and got 
java.lang.OutOfMemoryError
when using a lens, since it reads the whole payload into memory before parsing it:
Copy code
class StreamBody(override val stream: InputStream, override val length: Long? = null) : Body {
    override val payload: ByteBuffer by lazy { stream.use { ByteBuffer.wrap(it.readBytes()) } }
    // ...
}
It would be nice to be able to specify a max payload size.
d
depending on the backend you're using you can set this up there.
m
Do you have an example?
a
Not an expert, but I feel like that's more the responsibility of a WAF rather than the application. A WAF will typically sit just inside or outside your load balancer.
d
yeah, it kind of depends on your usecase
m
What is a WAF?
I did a workaround by wrapping 
body.stream
with 
<http://org.apache.commons.io|org.apache.commons.io>.input.BoundedInputStream
, but then I cannot use lenses (or can I?).
d
you don't really want to start dealing with streams unless you really need to. As mentioned, this isn't really a concern of your endpoints
m
OK, but you have an example of a backend which supports this?
d
which backend are you using?
m
I am not using any at the moment, so I am open to suggestions.
(I am not using http4k in production yet, but considering it.)
(And trying it out.)
d
but as @Andrew O'Hara says - you should try to rely on the infrastructure for this type of thing
m
OK, nice.
d
configuring the backend is the next step
you don't want to really do it IN your biz logic
m
Right.
What about client?
d
If you do configure the backend, you'll need to write a custom Undertow (or other) backend. This is pretty easy, it's just mostly boilerplate with a couple of options set
what do you mean?
m
I am using http4k as client also, and want to protect against humongous responses from server.
Is there a client backend with similar protection possibility perhaps?
d
but for the client - you are in control of the code aren't you?
I mean it's possible - but once again you would have to configure the underlying client (OkHttp, Apache, Jetty)
well - I don't know actually if any clients support that
a
I haven't found anything to support that in okhttp or apache client yet
f
Whilst theoretically possible for a server to be malicious and send a humongous response, I would argue that it's not going to happen in practice. Any server that you connect to using a client you should already trust (be it an internal server or an external server from a reputable service). That is probably why you don't see that ability included in the most commonly used http clients. My 2p.
6 Views
Open in Slack
PreviousNext
Powered by