Projects based on the Rust Hyper library can easily be vulnerable to DoS attacks. The weak point is the function to_bytes, which can be used to copy the body of an HTTP request or response into a single bytes buffer. So far, developers are not required to limit the length of the copied body, which attackers can exploit to crash processes.
The security team at software manufacturer JFrog found that even large Rust projects like Axum and Salvo had overlooked the problem. Currently, Hyper is the most popular HTTP library for Rust with over 68 million downloads. According to the community repository crates.io, 2595 projects currently depend on Hyper, including the largest Rust-based HTTP clients and servers reqwest and warp.
Weak point: careless programming
Hyper is Rust’s building block for implementing HTTP servers and clients. The library contains methods for answering requests, parsing request bodies, and generating HTTP responses. Although the documentation already describes that the function body::to_bytes comes without checking the copied size, but the JFrog team suspects that many developers ignored the hint. A single HTTP request with so much data that the body occupies the entire memory of the recipient would normally be stopped by proxies, CDNs or firewalls.
However, with Hyper, it is possible to exploit the problem with small packets. If the function to_bytes expecting more than one chunk of data, it creates a vector equal to the length of the body to be read. The length of the vector is determined by the Content-Length header, the value of which attackers can simply set so high that the process crashes when the vector is created. Since HTTP servers often receive data from untrustworthy sources, such an attack is conceivable. This applies to all projects that use Hyper or frameworks based on it.
Fix already included in the documentation
Although there is a length restriction to_bytes not duty that official documentary by Rust, which recently became the official Linux kernel language alongside C, not only warns of the problem but also provides a solution. About checking the content-length the attacks described above can be easily repelled. The documentation provides the following example:
use hyper::{body::HttpBody};
let response = client.request(request).await?;
const MAX_ALLOWED_RESPONSE_SIZE: u64 = 1024;
let response_content_length = match response.body().size_hint().upper() {
Some(v) => v,
None => MAX_ALLOWED_RESPONSE_SIZE + 1 // Just to protect ourselves from a malicious response
};
if response_content_length < MAX_ALLOWED_RESPONSE_SIZE {
let body_bytes = hyper::body::to_bytes(response.into_body()).await?;
println!("body: {:?}", body_bytes);
}The problem pointed out by JFrog isn’t the first time Hyper has been vulnerable to DoS attacks. Already in 2014 and 2015 there were problems with the length of request headers. The original warning about the vulnerability and a more detailed explanation can be found on JFrog’s blog.
(psst)
