Menu
If I use the http module of nodejs to make a simple http server, how much validation/checking do I have to do?
Does the module take care of security issues like malformed requests and requests with malicious header values? Does the module ensure that everything follows the http spec, or do I have to do a lot of checking to make sure that my server isn't easy to crash?
Edit: Let's say nodejs doesn't do any real validation, which I'm pretty sure is the case. What do I have to do to make sure my server isn't easily crashable?
720
What is a malicious header value? Node is low level, so a lot of things aren't checked. But you have to look at those things. But it isn't like someone can send "execute 0xFA894224" or something. The only holes it's likely to have are things like allowing malformed request (eg, maybe you might get request.location: "\*\*\* CHINAAA \*\*\*", forgetting to launch a socket close event, or throwing a JavaScript error and gracefully terminating.
You can always check yourself for these things, or use a try catch block, process.on, etc. Of course, it's not to say there might not be a buffer overflow or something somewhere, but it is unlikely considering node is built on top of v8, and many of the libraries are pure JavaScript
Edit: How to stop random crashes:
process.on('uncaughtException',function() {
/* ignore error */
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
