Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I limit the size of a Net::HTTP request?

Tags:

security

ruby

ruby-on-rails

I'm creating an API service which allows people to provide a URL of an image to the API call, and the the service downloads the image to process.

How do I ensure somebody does NOT give me the URL of, like, a 5MB image? Is there a way to limit the request?

This is what I have so far, which basically grabs everything.

  req = Net::HTTP::Get.new(url.path)
  res = Net::HTTP.start(url.host, url.port) { |http|
    http.request(req)
  }

Thanks, Conrad

like image 558
chuboy Avatar asked Dec 18 '22 05:12

chuboy

2 Answers

cwninja unfortunately gave you an answer that will only work for accidental attacks. An intelligent attacker will have no trouble at all defeating that check. There are two main reasons his method should not be used. First, nothing guarantees that the information in a HEAD response will match the corresponding GET response. A properly behaving server certainly will do this, but a malicious actor does not have to follow the spec. The attacker could simply send a HEAD response that says it has a Content-Length that's less than your threshold, but then hand you a huge file in the GET response. But that doesn't even cover the potential for a server to send back a response with the Transfer-Encoding: chunked header set. A chunked response could quite possibly never end. A few people pointing your server at never-ending responses could carry out a trivial resource-exhaustion attack, even if your HTTP client enforces a timeout.

To do this correctly, you need to use an HTTP library that allows you to count the bytes as they're received, and abort if it crosses the threshold. I would probably recommend Curb for this rather than Net::HTTP. (Can you even do this at all with Net::HTTP?) If you use the on_body and/or on_progress callbacks, you can count the incoming bytes and abort mid-response if you receive a file that's too large. Obviously, as cwninja already pointed out, if you receive a Content-Length header larger than your threshold, you want to abort for that too. Curb is also notably faster than Net::HTTP.

like image 83
Bob Aman Avatar answered Dec 30 '22 23:12

Bob Aman

Try running this first:

Net::HTTP.start(url.host, url.port) { |http|
  response = http.request_head(url.path)
  raise "File too big." if response['content-length'].to_i > 5*1024*1024
}

You still have a race condition (someone could swap out the file after you do the HEAD request), but in the simple case this asks the server for the headers it would send back from a GET request.

like image 42
cwninja Avatar answered Dec 30 '22 23:12

cwninja
Sign in to Comment

Related questions

docker-compose error connecting to redis + sidekiq
rails - Exporting a huge CSV file consumes all RAM in production
how to run rake task using rails migration
Attach active storage file to mailer
docker-compose run command cannot find gem after running bundle install
Meaning of Ynaqdhm?
Why is elasticserach-rails suddenly raising Faraday::ConnectionFailed (execution expired)?
Create list of lists from list of json objects ruby
Check if String Contains an Emoji in Ruby
nokogiri not installing in ruby 2.7.1 centos 7.2
Proxy choices: mod_proxy_balancer, nginx + proxy balancer, haproxy?
rails routing controller action change
How do I do a join query in rails?
ROR: To scaffold or not?
How can I find non ascii strings in an array of strings, in Rails 2.0/ruby 1.8.6?
Acts_as_paranoid, is_paranoid... Alternatives?
Git / Rails / Shared Hosting (Dreamhost) workflow
Recent Activities in Ruby on Rails
Snow Leopard, sqlite3-ruby
Sort an array in Ruby ignoring articles ("the", "a", "an")

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!