-
Notifications
You must be signed in to change notification settings - Fork 30.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node crashes when a big sparse array is given to console.log (might cause DoS) #4905
Comments
@mik01aj Am I correct that when speaking about DoS, you have
|
Yes. I think it can be pretty common in Note that |
How so? |
@vkurchatkin My bad, it seems that I was incorrect, sorry. I was testing this in repl, and it consumed the memory not on that operation, but when trying to print the result. I will edit my comments above, thanks! |
As a possible fix, we could limit the maximum length of an array being printed in |
Yes, that's what I meant. 👍 As for DoS risk, I don't have time to think about a good full blown code example, sorry. Maybe later... Or maybe this could convince you that it's certainly possible to make such an array accidentally: lodash/lodash#1685. |
+1. |
@mscdex This is related to |
|
@bnoordhuis This is what I meant, and is exactly why this issue belongs to |
Seems like the same issue as I was pinged about on Twitter recently It'd be nice to not have unexpected and non-obvious behaviour like this if we can help it. Fair enough if you're actually using up memory but when you know you're not but it still dies, that's not so great. /cc @trevnorris |
I'm not sure what else we could do here. v8 doesn't give the capability to cancel the operation of retrieving property names if the heap is about to run out of memory. |
Can we not switch to a streaming model of writing to I ask because var a=[]
a[1000000000]=1
console.log(a) works in browsers. |
@zeusdeux I can't think of a way to handle circular dependencies that way. the model needs to be built to make sure we won't end up recursively printing objects. |
Retrieving the property names is fast:
Printing To illustrate
If you guys want, I can add a check for spase arrays (eg
|
This prevents `console.log(arr)` from crashing node when given a sparse array with large length. Fixes nodejs#4905
@trevnorris If you mean how the streaming model would work for objects with circular dependencies, then it would work as is since the already seen value will be in |
@zeusdeux the reason
|
How about something that operates like this (hacked together this morning): Options to restrict the output to a maximum number of elements and to elide series of unset values, with the settings available at module and per-invocation scope. Setting either to 0 disables that limit.
|
@tunniclm I like your suggestion, but making it the default would need a new semver-major version (as stated by @rvagg in #5070 (comment)). I would say, the main reason is that you change the output format even for small arrays (I mean small for machine, so 10000 is small, it all prints in a split second). I would suggest to change the output format only for arrays big enough to cause the crash, and make this the default, and push this fix to any relevant versions. I consider making the output format nicer and more human-readable a separate issue (:+1: for it, but not in a minor version) |
@mik01aj I'm not sure why this would necessarily be semver-major, since it could even be completely disabled by default, if necessary. (I was thinking setting the module options to be disabled by default, and to change the REPL to use the per-invocation values I can see that it doesn't help with selecting the right value for a maximum number of array output elements though -- would a flat value be sufficient? would we want a number calculated at startup depending on the machine? would we want a value calculated at run time based on the amount of free memory? |
This ends up with a
FATAL ERROR: process out of memory
. Wouldn't expect this...Note that many applications use
console.log
for logging their stuff, and this can lead to a DoS attack: for example, when an user-specified JSON{"1000000000":"a"}
is merged with some pre-existing array and then printed on console. Having an upper bound on printedArray
items inconsole.log
seems like an easy fix for this.I originally reported this to
security@nodejs.org
, but I got this response:So I'm opening an issue 😃
Btw, I can't see this documented anywhere in the console docs, but maybe I'm missing something?
The text was updated successfully, but these errors were encountered: