2020-06-21 18:03:45 +02:00
|
|
|
Safety and Protection Against DoS Attacks
|
|
|
|
========================================
|
|
|
|
|
|
|
|
{{#include ../links.md}}
|
|
|
|
|
|
|
|
For scripting systems open to untrusted user-land scripts, it is always best to limit the amount of
|
|
|
|
resources used by a script so that it does not consume more resources that it is allowed to.
|
|
|
|
|
|
|
|
The most important resources to watch out for are:
|
|
|
|
|
2020-06-22 16:02:49 +02:00
|
|
|
* **Memory**: A malicious script may continuously grow a [string], an [array] or [object map] until all memory is consumed.
|
2020-06-21 18:03:45 +02:00
|
|
|
|
|
|
|
It may also create a large [array] or [object map] literal that exhausts all memory during parsing.
|
|
|
|
|
2020-06-22 16:02:49 +02:00
|
|
|
* **CPU**: A malicious script may run an infinite tight loop that consumes all CPU cycles.
|
2020-06-21 18:03:45 +02:00
|
|
|
|
2020-06-22 16:02:49 +02:00
|
|
|
* **Time**: A malicious script may run indefinitely, thereby blocking the calling system which is waiting for a result.
|
2020-06-21 18:03:45 +02:00
|
|
|
|
2020-06-22 16:02:49 +02:00
|
|
|
* **Stack**: A malicious script may attempt an infinite recursive call that exhausts the call stack.
|
2020-06-21 18:03:45 +02:00
|
|
|
|
|
|
|
Alternatively, it may create a degenerated deep expression with so many levels that the parser exhausts the call stack
|
|
|
|
when parsing the expression; or even deeply-nested statement blocks, if nested deep enough.
|
|
|
|
|
2020-06-27 04:43:57 +02:00
|
|
|
Another way to cause a stack overflow is to load a [self-referencing module][`import`].
|
2020-06-21 18:03:45 +02:00
|
|
|
|
2020-06-22 16:02:49 +02:00
|
|
|
* **Overflows**: A malicious script may deliberately cause numeric over-flows and/or under-flows, divide by zero, and/or
|
2020-06-21 18:03:45 +02:00
|
|
|
create bad floating-point representations, in order to crash the system.
|
|
|
|
|
2020-06-22 16:02:49 +02:00
|
|
|
* **Files**: A malicious script may continuously [`import`] an external module within an infinite loop,
|
2020-06-21 18:03:45 +02:00
|
|
|
thereby putting heavy load on the file-system (or even the network if the file is not local).
|
|
|
|
|
|
|
|
Even when modules are not created from files, they still typically consume a lot of resources to load.
|
|
|
|
|
2020-06-22 16:02:49 +02:00
|
|
|
* **Data**: A malicious script may attempt to read from and/or write to data that it does not own. If this happens,
|
2020-06-21 18:03:45 +02:00
|
|
|
it is a severe security breach and may put the entire system at risk.
|
2020-10-22 06:26:44 +02:00
|
|
|
|
|
|
|
|
|
|
|
`unchecked`
|
|
|
|
-----------
|
|
|
|
|
|
|
|
All these safe-guards can be turned off via the [`unchecked`] feature, which disables all
|
|
|
|
safety checks (even fatal errors such as arithmetic overflows and division-by-zero).
|
|
|
|
|
|
|
|
This will increase script evaluation performance, at the expense of having an erroneous
|
|
|
|
script able to panic the entire system.
|