liquidjs icon indicating copy to clipboard operation
liquidjs copied to clipboard

Published 20 hours ago verified publisher icon harttle

Handling DoS loops or max time processing

Open amit777 opened this issue 5 years ago • 6 comments
trafficstars

Are there any recommended best practices or ways to put limits on the number of cycles the render function can take? For example, if a malicious user adds nested for loops with very large max lengths, how do you prevent this from taking up the entire CPU?

I've been searching around and haven't found any questions related to this, so I feel like I'm probably missing something obvious.

amit777 avatar Sep 30 '20 13:09 amit777

Not available currently. But I think it's OK to have this feature, are there any other libs implementing this, for reference?

harttle avatar Oct 02 '20 01:10 harttle

I think I have a solution using a slightly patched paralleljs which uses webworkers. I will post the example here as soon as my patch is merged. But it's potentially pretty simple.

amit777 avatar Oct 02 '20 02:10 amit777

paralleljs v1.1.0 has my pull request merged in. You can pass opts.timeout to the Paralleljs's spawn method and call Liquidjs's render function within it.

amit777 avatar Oct 06 '20 18:10 amit777

I guess limiting the processing time is better handled by external libraries. Closing this issue.

harttle avatar Feb 12 '21 07:02 harttle

If this library doesn't have limits as the Shopify version does, then why is it called safe?

denis-isaev avatar Jan 04 '24 23:01 denis-isaev

I thought Shopify doesn't have a limit on this. Will investigate whether we can do the same.

harttle avatar Jan 05 '24 02:01 harttle

Added DoS related support: https://liquidjs.com/tutorials/dos.html

harttle avatar Jul 09 '24 14:07 harttle