Skip to content

Improve security and speed #350

Open
fabiodefilipposoftware wants to merge 3 commits into
statianzo:masterfrom
fabiodefilipposoftware:patch-1
Open

Improve security and speed #350
fabiodefilipposoftware wants to merge 3 commits into
statianzo:masterfrom
fabiodefilipposoftware:patch-1

Conversation

@fabiodefilipposoftware

Copy link
Copy Markdown

1. Zero Crash for Stack Overflow (Reliability)

  • Before: If the server sent many messages in a row and the underlying stream responded synchronously (very quickly), the original code would keep calling itself, creating an infinite "chain" of calls. This would exhaust the CPU stack memory, causing a sudden and destructive application crash (StackOverflowException).
  • Now: The new code processes the message queue linearly (one step at a time within a while loop), keeping the CPU stack clean and safe, regardless of the number of messages accumulated.

2. Zero Impact on the Rest of the Project (Refactoring Safety)

  • No Domino Effects: You don't have to change a single line of code in other files in the project. The method signatures (BeginWrite/EndWrite) and the way other classes interact with QueuedStream remain identical.

### 1. Zero Crash for Stack Overflow (Reliability)
* **Before:** If the server sent many messages in a row and the underlying stream responded synchronously (very quickly), the original code would keep calling itself, creating an infinite "chain" of calls. This would exhaust the CPU stack memory, causing a sudden and destructive application crash (StackOverflowException).
* **Now:** The new code processes the message queue linearly (one step at a time within a while loop), keeping the CPU stack clean and safe, regardless of the number of messages accumulated.
### 2. Zero Impact on the Rest of the Project (Refactoring Safety)
* **No Domino Effects:** You don't have to change a single line of code in other files in the project. The method signatures (BeginWrite/EndWrite) and the way other classes interact with QueuedStream remain identical.
Added timeout handling for regex matching and body extraction.
### 1. Total Protection from DoS Attacks (Server Stability)
* **Before:** If an attacker (or a buggy client) sent a maliciously crafted request containing infinitely long text strings, the old Regex could enter a spiral of endless calculation loops (called *catastrophic backtracking*). This would cause the CPU to hang at 100% for hours, knocking the server offline.
* **Now:** Thanks to the introduction of **Timeout** (RegexTimeout), if Regex cannot process the text within 100 milliseconds, the operation is forcibly aborted, the exception is caught (RegexMatchTimeoutException), and the malicious request is discarded. The server's CPU is safe.
 ### 2. Halved Memory Consumption on the Body (Efficiency)
* **Before:** The old Regex attempted to parse and "capture" the entire message body ((?<body>.+)?). If a user sent very large data, Regex had to scan it character by character, allocating many temporary objects in RAM and slowing down the garbage collector.
* **Now:** Regex stops as soon as the headers are exhausted. The body is extracted by "trimming" the string with a very fast native method (text.IndexOf("\r\n\r\n") and Substring). A native trimming is hundreds of times lighter on the CPU and memory than parsing with Regex.
### 3. Dead Code Removal (Code Cleanup)
* **Before:** The code included a separate pattern and ad hoc logic to handle requests from Adobe Flash Player (FlashSocketPolicyRequestPattern).
 * **Now:** Since Flash technology has been permanently deprecated and removed from all modern browsers, that block of code had become unnecessary. By removing it, we streamlined the class, leaving only the code that's actually needed.
### 4. Zero changes to the rest of the software (No risk of regression)
* **Zero impact:** From the perspective of the rest of the project, the public method is still called RequestParser.Parse(bytes) and returns the exact same WebSocketHttpRequest object as before.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant