Comments (3)
lmars
commented on August 26, 2024
This is largely implemented in this commit (which is on the prevent-slow-retrieval-attacks branch).
However, the implemented timeoutReader has the side effect that if the given []byte is larger than chunkSize and the underlying reader returns partial data, those partial reads will be buffered until enough chunks have been read.
This may not be an issue, but it needs some thought, and probably needs testing against a real (and slow) HTTP server.
from go-tuf.
titanous
commented on August 26, 2024
It looks like net/http's Request.Body.Close() could be dangerous here: golang/go#9662
Though I think it is easier to mitigate on the client side with CancelRequest.
from go-tuf.
mnm678
commented on August 26, 2024
Slow retrieval attacks were removed from the TUF spec.
from go-tuf.
Related Issues (20)
- Possible bug in `isTargetInPathPattern` HOT 2
- Make go-tuf concurrency-safe
- Enable Refresh() to be called more than once
- feat: Decouple signing
- feat: Support for downloading target files from a registry (by tag/digest)
- bug: use the correct format for "expires" (should not include milliseconds)
- feat: Support loading and managing keys from files
- tests: Add interoperability tests
- feat: Support for setting custom Key IDs
- Revisit path handling for proper Windows support HOT 2
- Switch away from actions using a deprecated nodejs version
- Example repo is dead HOT 1
- Consider deprecating use of third-party logging libraries in favour of stdlib (log/slog) ? HOT 9
- Failing to rotate timestamp keys: tuf: failed to decode timestamp.json: tuf: valid signatures did not meet threshold HOT 3
- bug: hash algorithm defaults to SHA256 for most algorithms
- Custom user agent string HOT 3
- bug: deep target file paths for consistent snapshots
- Add SLSA provenance HOT 1
- temporary file creation for persisted metadata HOT 3
- I increase the default `MaxRootRotations` value for the updater config. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-tuf.