Limit_rate dynamically using $arg - security

luislavena · April 4, 2012, 10:40pm

I’ve been looking for a way to limit videos to their bitrate to save
bandwidth and I’ve come up with this code

        if ($arg_LIMITSPEED) {
          set $limit_rate $arg_LIMITSPEED;
        }

It works but I would like to know if this code would be secure to use on
a production server.

I am not worried about users setting their LIMITSPEED high on their own
because I am limiting speeds at the network level as well.

Posted at Nginx Forum:

shoshomiga · April 4, 2012, 11:33pm

On 4 April 2012 21:40, shoshomiga [email protected] wrote:

I am not worried about users setting their LIMITSPEED high on their own
because I am limiting speeds at the network level as well.

To be honest, I’m not sure what definition of “insecure” you could be
thinking of that isn’t “the user can override it trivially”

If you’re doing the rate limiting at the network level properly, then
why duplicate the effort? It’s just one more place you have to change
when you upgrade the speed limits.

Personally, I’m prototyping a streaming service at the moment using
X-Accel | NGINX and a double
proxy_pass (via X-Accel-Redirect to an internal storage proxy_pass).
It all looks like it works nicely, and allows the dumb storage backend
to throw data at the nginx router as fast as nginx accepts it, and for
the first (intelligent) proxy_pass backend to decide the bitrate via
X-Accel-Limit-Rate. I’ll blog it soonish

Jonathan

Jonathan M.
London, Oxford, UK
http://www.jpluscplusm.com/contact.html

shoshomiga · April 5, 2012, 1:26pm

Jonathan M. Wrote:

“insecure” you could be
the moment using
X-Accel-Limit-Rate. I’ll blog it soonish
nginx Info Page
By security I meant vulnerability to buffer overflows and other exploits
since limit_rate is probably not meant to recieve that kind of
unsanitized input.

Posted at Nginx Forum:

shoshomiga · April 5, 2012, 4:44pm

Hello!

On Thu, Apr 05, 2012 at 07:26:06AM -0400, shoshomiga wrote:

$arg_LIMITSPEED;
 }
It works but I would like to know if this code
would be secure to use on
a production server.

[…]

By security I meant vulnerability to buffer overflows and other exploits
since limit_rate is probably not meant to recieve that kind of
unsanitized input.

It should be safe. Note though that it will log error if there
are invalid values passed, which may in turn be used as a DoS
vector.

To be on safe side, I would recommend sanitizing the input, e.g.
with map{}. Something like this should work:

map $arg_speed $speed {
    default 64k;
    64k     64k;
    128k    128k;
    256k    256k;
}

...

set $limit_rate $speed;

Maxim D.

shoshomiga · April 5, 2012, 5:06pm

Maxim D. Wrote:

[email protected] wrote:

It works but I would like to know if this
unsanitized input.
map $arg_speed $speed {
    default 64k;
    64k     64k;
    128k    128k;
    256k    256k;
}

...

set $limit_rate $speed;

Is there a way to typecast to int instead?

map{} won’t give me enough flexibility and it would probably be slower
than a typecast.

Posted at Nginx Forum: