Skip to content

Comments

fix(reader-main): prevent DoS via malformed action type matching#427

Merged
luciorubeens merged 3 commits intomainfrom
fix/reader-main-action-type
Nov 3, 2025
Merged

fix(reader-main): prevent DoS via malformed action type matching#427
luciorubeens merged 3 commits intomainfrom
fix/reader-main-action-type

Conversation

@luciorubeens
Copy link
Member

@luciorubeens luciorubeens commented Oct 29, 2025

Fixes a vulnerability where attackers could hang the service by sending messages with "wrong" action names, eg. dither.PostRemove would match the Post handler.

So the service hangs because the wrong handler processes the malformed message, fails to parse it, returns RETRY status, and the message gets stuck in an infinite retry loop.

Now it will extract the exact action type using regex instead of checking prefixes in a for loop, ensuring only properly formatted messages are processed.

This PR also fixes smoke tests.

@netlify
Copy link

netlify bot commented Oct 29, 2025

Deploy Preview for dither-staging ready!

Name Link
🔨 Latest commit 7570151
🔍 Latest deploy log https://app.netlify.com/projects/dither-staging/deploys/6907e69a9e674800083aedd1
😎 Deploy Preview https://deploy-preview-427--dither-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@luciorubeens luciorubeens merged commit 12b6ab8 into main Nov 3, 2025
11 checks passed
@luciorubeens luciorubeens deleted the fix/reader-main-action-type branch November 3, 2025 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: No status

Development

Successfully merging this pull request may close these issues.

2 participants