setBigTimeout

(evanhahn.com)

210 points cfj | 2 comments | 17 Oct 24 18:01 UTC | HN request time: 0s | source

Show context

n2d4 ◴[18 Oct 24 16:24 UTC] No.41880898[source]▶

>>41872010 (OP) #

The default behaviour of setTimeout seems problematic. Could be used for an exploit, because code like this might not work as expected:

    const attackerControlled = ...;
    if (attackerControlled < 60_000) {
      throw new Error("Must wait at least 1min!");
    }

    setTimeout(() => {
      console.log("Surely at least 1min has passed!");
    }, attackerControlled);

The attacker could set the value to a comically large number and the callback would execute immediately. This also seems to be true for NaN. The better solution (imo) would be to throw an error, but I assume we can't due to backwards compatibility.

replies(6): >>41881042 #>>41881074 #>>41881774 #>>41882110 #>>41884470 #>>41884957 #

sfvisser ◴[18 Oct 24 16:40 UTC] No.41881074[source]▶

>>41880898 #

Don’t ever use attacker controlled data directly in your source code without validation. Don’t blame setTimeout for this, it’s impolite!

replies(1): >>41881265 #

1. n2d4 ◴[18 Oct 24 16:58 UTC] No.41881265[source]▶

>>41881074 #

The problem is the validation. You'd expect you just have to validate a lower bound, but you also have to validate an upper bound.

replies(1): >>41884117 #

2. leptons ◴[18 Oct 24 22:36 UTC] No.41884117[source]▶

>>41881265 (TP) #

It's user input, you have to validate all the bounds, and filter out whatever else might cause problems. Not doing so is a a problem with the programmer, not setTimeout.

↑