Metadata-pushes rate is not capped on responder, may lead to server resources starvation

[mostroverkhov]

External clients can start hundreds of thousands of metadata-pushes over multiple connections.

If metadata-push handler is present and It does not implement rate limiting on its own, then server is subject to resource starvation attack.

If metadata-push handler is absent, then exception with stacktrace is created for every metadata-push - this just consumes cpu cycles. With sufficiently large number of metadata-pushes RSocket becomes unresponsive.

Problem worsens with websocket transport of this repository. By default It sets frame size limit to ~16MB - this opens opportunity for memory overflow given there may be arbitrarily large number of concurrent metadata-pushes with size close to said size limit.

[OlegDokuka]

Hey!

First of all, we appreciate issues and bug reports!

However, sometimes it is HARD to figure out what the issue is about. In certain: how to reproduce it; what is the root cause; what is possible solutions to mitigate it!

Having no such info just makes it challenging for maintainers to help submitter / improve project by resolving the issue.

Therefore, we created issues' templates for that purpose so the issue submitter can express all important points that maintainers need in order to resolve an issue. Otherwise, if thoughts were not expressed clearly just make the issue useless and waste maintainers' time on figuring out what was said.

Therefore, please respect maintainers by following general issues' templates if you submitting an issue!

Thanks in advance.

---

1. Any code samples to reproduce that?

2. I believe the same issue can happen with the fnf call if leasing is not enabled. Is not it?

If metadata-push handler is absent, then exception with stacktrace is created for every metadata-push - this just consumes cpu cycles. With sufficiently large number of metadata-pushes RSocket becomes unresponsive.

3. This is a bug 🐞. However, the issue is not critical and a workaround for everything lower than 1.0.2 will be overriding of all RSocket methods with a static response error

4. The solution for this issue will be creating static Mono.error/Flux.error for RSocket.class so stack trace will not be filled on every call.

Problem worsens with websocket transport of this repository. By default It sets frame size limit to ~16MB - this opens opportunity for memory overflow given there may be arbitrarily large number of concurrent metadata-pushes with size close to said size limit.

The same as for point 1 - any code that reproduces that, or is it just a theoretical assumption that has no proof?

On the RSocketRequester side we have Payload validation which ensures that payload is not overdue 16 content size. That said it is impossible to send frame bigger than 16 MB -> since validation code ensures that frame size is less or equal to 16MB (total sum of headers and content)

6. Apart, if one sends many requests with the large payload for any request type may be an opportunity for memory overflow is not it? How metadata-push differs from the same fnf or requestResponse calls no counting that metadata push is not a subject for leasing? I guess this is an application concern on how to prevent memory overflow attacks and extra application security can be introduced to protect against the malicious caller. Is not it?

WDYT @rstoyanchev @rwinch?

Cheers,
Oleh

[rstoyanchev]

I think metadata pushes are not meant to be used for sending a lot of data or to be sent very frequently. We can add some basic rate limiting mechanism that allows up a certain number of pushes and/or metadata size within some period of time. That can be much lower than the general 16 MB frame size from the spec.

Also since metadata isn't subject to fragmentation then we are not aggregating fragments and an application can use interception to reject large metadata pushes or any metadata pushes as a workaround.