There is a vulnerability in Cowboy that can make it load an arbitrary long binary into memory, causing the server to get unresponsive.
This works because the functions cowboy_req:body/1
and
cowboy_req:body_qs/1
will load the whole request into
memory without checking a limit.
Most servers implement a flag that limits the size of the request and abort after a certain limit is reached.
Attached is a script that reproduces the issue which can be used to attack any POST/PUT/DELETE endpoint. This attack is particularly dangerous because it can be done from a single machine with very little resources, by simply streaming one or more requests. The only limit on the speed of attack is the speed limit between client and server.
We were able to deploy the attack on servers successfully.
Unfortunately, Cowboy maintainers said this is not a security issue in Cowboy and that it won't be fixed (in fact, I was assured Cowboy is free of security issues, even though the definition of a bug includes something you could not foresee).
This gist is an attempt to make developers using Cowboy
aware of the issue and patch it up accordingly. So my best
advise is to stop using the faulty functions mentioned
above and implement the parsing yourself by relying on
cowboy_req:stream_body/1
function, making sure you
abort after a certain limit is reached.
First, we have attempted to disclose this issue in private but it was said it won't be fixed. Second, Cowboy maintainers explicitly asked to release security vulnerabilities publicly, so we will be releasing a couple other vulnerabilities in the following days too.
unfortunately that supports my impression of the attitude / code quality of cowboy … +1 for setting a default max body size and let users override it if necessary