~cadence/tube#34: 
Security: User-configurable instance may return bad data

Could return malformed JSON, incorrect types, missing keys, infinite responses (causing potential issues with bandwidth, memory, disk storage usage), and so on.

Validation and tests are required to make sure CloudTube doesn't hit any severe errors.

Reducing the instances that can be used would help stop this problem before it starts, but it cannot be relied on as a true solution.

Status
REPORTED
Submitter
~cadence
Assigned to
No-one
Submitted
3 years ago
Updated
3 years ago
Labels
cloudtube discussion

~cadence closed duplicate ticket #32 3 years ago

~reivilibre 3 years ago

Some thoughts:

  • 'slow HTTP' attack — would need to time-out connections so that a malicious instance can't trickle back bytes at a time and keep a connection open for a long time
  • need to limit the size of the response body

Things like issues in the JSON decoder are so severe that they could probably also be exploited through other means (e.g. on the public HTTP web interface provided by CloudTube)

Register here or Log in to comment, or comment via email.