Handling DoS loops or max time processing #250
Comments
|
Not available currently. But I think it's OK to have this feature, are there any other libs implementing this, for reference? |
|
I think I have a solution using a slightly patched paralleljs which uses webworkers. I will post the example here as soon as my patch is merged. But it's potentially pretty simple. |
|
paralleljs v1.1.0 has my pull request merged in. You can pass opts.timeout to the Paralleljs's spawn method and call Liquidjs's render function within it. |
|
I guess limiting the processing time is better handled by external libraries. Closing this issue. |
|
If this library doesn't have limits as the Shopify version does, then why is it called safe? |
|
I thought Shopify doesn't have a limit on this. Will investigate whether we can do the same. |
# [10.15.0](v10.14.0...v10.15.0) (2024-07-09) ### Bug Fixes * report error for malformed else/elsif/endif/endfor, [#713](#713) ([22b5a12](22b5a12)) ### Features * DoS prevention, [#250](#250) ([e443068](e443068)) * support in-memory template mapping, inspired by [@jg-rp](https://github.com/jg-rp) [#714](#714) ([df27ac6](df27ac6))
|
Added DoS related support: https://liquidjs.com/tutorials/dos.html |
Are there any recommended best practices or ways to put limits on the number of cycles the render function can take? For example, if a malicious user adds nested for loops with very large max lengths, how do you prevent this from taking up the entire CPU?
I've been searching around and haven't found any questions related to this, so I feel like I'm probably missing something obvious.
The text was updated successfully, but these errors were encountered: