swift-server/async-http-client

Rename and clarify the `body.collect(upTo:)` API which gets used in an insecure way all the time

weissi opened this issue · 1 comments

weissi commented

We see code similar to this a lot

let expectedBytes = response.headers.first(name: "content-length").flatMap(Int.init) ?? 1024 * 1024
return Response(status: response.status, buffer: try await response.body.collect(upTo: expectedBytes))

The above code doesn't make any sense because it essentially says

Read as many bytes as you want into memory

This of course can lead to very bad scenarios because the content-length is controlled by the attacker. Furthermore, it's a lot of code to spell the ~equivalent of

return Response(status: response.status, buffer: try await response.body.collect(upTo: Int.max))

And just to be clear, we do not have to check content-length here. The content length is correct, or else NIO would've spotted that and sent an error instead (like illegal EOF condition if it ended prematurely or so).

But let's get to fixing this:

Goals:

  • Reasonable (fixed-sized limit) code should look good and be discoverable without reading much documentation
  • Unreasonable code should be possible but awkward using some word that conveys the danger of what's happening
  • Not overcomplicated

Ideas:

  • Put a reasonable default limit (e.g. 4MB) on there. So body.collect() would be safe
  • Make it clear in the docs that streaming should always be preferred. For example to save something to disk or proxy it, collect(...) should not be used. Only for JSON/protobuf/image/... decoding that needs to happen in memory we should use it
  • Instead of Int use a new type that can be constructed with integer literals or (and thanks to @hamzahrmalik for the idea) using some .init(watchOutWhatYourAreDoingIsDangerous: Int)

Maybe

  • body.collectIntoMemory() -- safe: up to 4 MB
  • body.collectIntoMemory(maximumSize: .megabytes(16)) -- safe: up to 16 MB
  • body.collectIntoMemory(maximumSize: .bytes(contentLength)) -- compiler error: expected type BodySize, actual type Int
  • body.collectIntoMemory(maximumSize: .bytes(BodySize(dangerousCalculatedSizeInBytes: contentLength)) -- unsafe but compiles