Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Proxy ? based powerful attack on http-server caught in wild. Can force out of memory
See original GitHub issueI run http-server primarily for SPA with proxy redirect. I prefer to just use http-server directly without an NGINX or some other firewall for my projects.
Environment Versions
- OS Type : Debian GNU/Linux 9.13 (stretch)
- Node version: v14.18.1
- http-server version: v13.0.2
Steps to reproduce
- make a request (POST, GET, etc) such that the url = ‘/?/?/?/?/?.. (repeated for about a hundred times) …/?/?/api’
- This will force http-server to end up using all the available memory
- sample start
http-server ./web -o -c-1 -p 8080 --proxy http://localhost:8080?"
Suggestion
- I would propose a PR that links to this issue that deflects against this simple but powerful attack. that uses
url.slice(0,4) === '/?/?'The more advanced way to handle this is to not use regex (intensive) but an indexOf analysis so we can parse legitamate query variables vs an actual attack.
Request thoughts and interest in handling this attack? I can propose an precise curl command and repository to demonstrate. Let me know.
Have an immediate fix i implemented here before we even touch parse. https://github.com/rook2pawn/http-server/commit/6645278d947e888c991ab27847bafae327970be1
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:13 (1 by maintainers)
Top Results From Across the Web
Memory leak in grizzly - Google Groups
Caused by: java.sql.SQLException: Invalid state, the Connection object is closed. We're using the jTDS JDBC driver v1.3.1 with MSSQL server over ...
Read more >Malicious IIS extensions quietly open persistent backdoors ...
Attackers are increasingly leveraging Internet Information Services (IIS) extensions as covert backdoors into servers, which hide deep in ...
Read more >core - Apache HTTP Server Version 2.4
This directive enables operating system specific optimizations for a listening socket by the Protocol type. The basic premise is for the kernel to...
Read more >Apache 2.4 Change Log
Credits: The Apache HTTP Server project would like to thank Gaetan Ferry ... HTTP Server 2.4.53 and earlier may read unintended memory if...
Read more >Detect and Prevent Web Shell Malware
These web shells operate on rogue web server applications and can evade file-based detection by running exclusively in memory (i.e., fileless ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks to everyone working on this issue 😃
I was running into the same problem, when using the
Catch-all redirectwith any other request method than GET. All it takes to reproduce it is:In my opinion it is a major bug, preventing
http-serverto be used an productive systems for SPAs before this is fixed.Working solution for me is serving the SPA via 404.html as described in the README.md:
However, this impacts the returned HTTP status code to be 404 instead of 200.
I see 3 different solutions for the bug to be resolved:
--proxyoption can be used for arbitrary request methods--spaor--fallback) that serves index.html instead of returning 404When help is wanted to implement 1. or 2., let me know…
@kade-d I made one small change here that stops this request before it takes any computational power.
It only uses String.slice and equality so this is very efficient and has kept my http-server up since I’ve implemented this fix on my own fork.