This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2022-12-05
Channels
- # adventofcode (138)
- # announcements (1)
- # babashka (4)
- # beginners (71)
- # biff (2)
- # calva (7)
- # cider (20)
- # clj-kondo (4)
- # cljsrn (4)
- # clojure (36)
- # clojure-europe (37)
- # clojure-nl (2)
- # clojure-norway (27)
- # clojure-portugal (1)
- # clojure-uk (4)
- # clojurescript (8)
- # emacs (3)
- # graphql (1)
- # hugsql (4)
- # humbleui (6)
- # hyperfiddle (1)
- # jobs-discuss (18)
- # joyride (2)
- # malli (17)
- # meander (7)
- # membrane (8)
- # off-topic (16)
- # pathom (14)
- # portal (4)
- # rdf (36)
- # reitit (4)
- # releases (2)
- # remote-jobs (1)
- # scittle (15)
- # shadow-cljs (13)
- # tools-deps (40)
Does route data get merged with the top level ring router and any route maps along the way?
well, I accidentally found an attack vector on reitit via coercion:
On -encode-error
, the schema and errors get serialized with edn, which is extremely expensive.
Since schema and errors return by default from coercion, it is possible to induce extreme load on a server with complex schema by sending invalid requests
(-encode-error [_ error]
(cond-> error
(show? :humanized) (assoc :humanized (me/humanize error {:wrap :message}))
(show? :schema) (update :schema edn/write-string opts)
(show? :errors) (-> (me/with-error-messages opts)
(update :errors (partial map #(update % :schema edn/write-string opts))))
Proposed fix - remove schema and errors from default options
:error-keys #{:type :coercion :in :schema :value :errors :humanized #_:transformed}
👍 1