堆栈内存溢出
  简体   繁体   English

应要求拒绝服务资源耗尽

[英]Denial Of Service Resource Exhaustion on request

 原文  2021-10-14 12:13:34       go/ security

问题描述

In my project, there is one func to iterate list of items, then for each item to call one func to make GET request to retrieve some params.在我的项目中,有一个 func 来迭代项目列表,然后为每个项目调用一个 func 来发出 GET 请求以检索一些参数。 When we use the checkmarx to do the scan, it points to the resp, err := http.Get(url) and says当我们使用 checkmarx 进行扫描时,它指向resp, err := http.Get(url)并说

The resource Get allocated is prone to resource exhaustion when used by another func资源Get分配在被其他func使用时容易出现资源耗尽的情况

Below is the getParams() func.下面是 getParams() 函数。 Is there any potential resource exhaustion for this func?这个函数是否有潜在的资源耗尽?

func getParams() (float64, float64, error) {
    url := "http://url.to.get.response"
    // the resource allocated below is prone to resource exhaustion?
    resp, err := http.Get(url)
    if err != nil {
        log.Error(err.Error(), err)
        return -1.0, -1.0, err
    }
    defer resp.Body.Close()

    var result map[string]interface{}
    body, err := ioutil.ReadAll(resp.Body)
    if err != nil {
        log.Error(err.Error(), err)
    }

    json.Unmarshal(body, &result)

    if routes, ok := result["routes"].([]interface{}); ok {
        route := routes[0].(map[string]interface{})
        summary := route["summary"].(map[string]interface{})
        secs := summary["seconds"]
        meters := summary["meters"].(float64)
        var mins float64
        if etai, ok := secs.(float64); ok {
            mins = etai / 60
        } else {
            mins = 0
        }
        return mins, meters, nil
    }

    return -1.0, -1.0, nil
}

1 个解决方案

解决方案1
 0  2021-10-14 13:09:24

Is there a cap on top on the loop, in other words if the list is 10M elements, will the code try to send 10M requests?循环顶部是否有上限,换句话说,如果列表是 10M 元素,代码会尝试发送 10M 请求吗?

Remember web requests use random source port for the session and those are limited in quantity, also establishing a connection is a subject to memory allocation, which too is a limiting factor that you may want to account for.请记住,Web 请求对会话使用随机源端口,并且数量有限,建立连接也受内存分配的影响,这也是您可能想要考虑的限制因素。 To top it off, the operating system can have its own limit on number of simultaneous active "descriptors".最重要的是,操作系统可以对同时活动的“描述符”的数量有自己的限制。

Not sure if this is what the error is trying to tell you, just my best guess.不确定这是否是错误试图告诉你的,只是我最好的猜测。 If so, you may want to introduce some synchronization into the code, so that only n-number of connections are established at a time.如果是这样,您可能希望在代码中引入一些同步,以便一次只建立 n 个连接。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Golang url.Parse 中的 Checkmarx 资源耗尽 - Checkmarx Resource Exhaustion in Golang url.Parse 在应用程序服务调用期间在运行时创建自定义资源 - Creating custom resource at runtime during application service calls 在 GoLang 中使用通用原型请求数据的 GRPC 服务 - GRPC Service with Generic proto request data in GoLang 服务/方法请求格式错误 - service/method request ill-formed 根据服务请求发布部署 Pod 创建/删除 - Post deployment pod creation/deletion based on service request 如何在GoLang中的CoAP中为服务器编写服务端点PUT请求方法? - How to write service endpoint PUT request method in CoAP in GoLang for server? 通过 unix 域套接字请求 http 服务时出现损坏的 pipe - Broken pipe appears when request http service through unix domain socket 代理如何访问grpc服务中的请求标头。 Golang的grpc-gateway - How to access request headers in grpc service proxied by. grpc-gateway in golang 这里有资源泄漏吗? - Is there a resource leak here? 带有“--skip-model”标志的“生成资源”命令导致资源错误 - “Generate resource” command with “--skip-model” flag results in faulty resource
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM