I am using the ws
module and I'd like to limit the amount of data being sent by the client over websocket to 1Mb. This will prevent a malicious user from sending huge amounts of data (in terms of GB) causing the server to run out of memory, which would cause denial of service errors for every normal user.
For example, example Express allows to specify the max size of a post request body like so:
bodyParser.json({limit:'1Mb'})
How I do something similar with the ws
module?
I tried
var ws = require('ws').Server
var wsserver = new ws({port:8080, limit:'1Mb'})
But this of course doesn't work.
I want the transmission of data to be interrupted (after 1Mb is exceeded) and the websocket connection to be closed. How can I do that?
There must be a way to limit the frames of data coming from the client...
WebSocket connections have a limit of 5 incoming messages per second.
Once established, a websocket connection does not have to send headers with its messages so we can expect the total data transfer per message to be less than an equivalent HTTP request. Establishing a Socket.io connection takes 1 HTTP request (~230 bytes) and one 86 byte websocket frame.
websockets frame buffer: its size depends both on the size and the number of frames it contains. By default the maximum size is 1MB and the maximum number is 32. You can adjust these limits by setting the max_size and max_queue keyword arguments of connect() or serve() .
The only way to know the client received the webSocket message for sure is to have the client send your own custom message back to the server to indicate you received it and for you to wait for that message on the server. That's the ONLY end-to-end test that is guaranteed.
That ability does not (currently) exist in that library.
Poking around their source code, it appears that the place to start would be processPacket()
method in https://github.com/websockets/ws/blob/master/lib/Receiver.js .
Once you have the packet header available, you can see the size of the message being sent. If it's above a certain threshold, there should be a way to close the connection before all of the bytes are even hitting your network.
Of course, the nice thing to do would be to fork their repository, issue a feature request, add in a configuration option that defaults to not taking any action if it's not set (don't break backwards compatibility), and submit a pull request.
If they like it, they'll merge. If not, you'll still be able to merge their future versions into your own repo and stay up to date without having to re-do your work each time they submit a new release.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With