setBigTimeout

(evanhahn.com)

210 points cfj | 1 comments | 17 Oct 24 18:01 UTC | HN request time: 0.001s | source

Show context

n2d4 ◴[18 Oct 24 16:24 UTC] No.41880898[source]▶

>>41872010 (OP) #

The default behaviour of setTimeout seems problematic. Could be used for an exploit, because code like this might not work as expected:

    const attackerControlled = ...;
    if (attackerControlled < 60_000) {
      throw new Error("Must wait at least 1min!");
    }

    setTimeout(() => {
      console.log("Surely at least 1min has passed!");
    }, attackerControlled);

The attacker could set the value to a comically large number and the callback would execute immediately. This also seems to be true for NaN. The better solution (imo) would be to throw an error, but I assume we can't due to backwards compatibility.

replies(6): >>41881042 #>>41881074 #>>41881774 #>>41882110 #>>41884470 #>>41884957 #

wging ◴[18 Oct 24 18:27 UTC] No.41882110[source]▶

>>41880898 #

In nodejs you at least get a warning along with the problematic behavior:

    Welcome to Node.js v22.7.0.
    Type ".help" for more information.
    > setTimeout(() => console.log('reached'), 3.456e9)
    Timeout { <contents elided> }
    > (node:64799) TimeoutOverflowWarning: 3456000000 does not fit into a 32-bit signed integer.
    Timeout duration was set to 1.
    (Use `node --trace-warnings ...` to show where the warning was created)
    reached

I'm surprised to see that setTimeout returns an object - I assume at one point it was an integer identifying the timer, the same way it is on the web. (I think I remember it being so at one point.)

replies(2): >>41882311 #>>41884284 #

1. augusto-moura ◴[18 Oct 24 18:47 UTC] No.41882311[source]▶

>>41882110 #

It returns an object for a long time now, I might say it was always like this actually. Don't know about very old versions

↑