setBigTimeout

(evanhahn.com)

210 points cfj | 1 comments | 17 Oct 24 18:01 UTC | HN request time: 0s | source

Show context

n2d4 ◴[18 Oct 24 16:24 UTC] No.41880898[source]▶

>>41872010 (OP) #

The default behaviour of setTimeout seems problematic. Could be used for an exploit, because code like this might not work as expected:

    const attackerControlled = ...;
    if (attackerControlled < 60_000) {
      throw new Error("Must wait at least 1min!");
    }

    setTimeout(() => {
      console.log("Surely at least 1min has passed!");
    }, attackerControlled);

The attacker could set the value to a comically large number and the callback would execute immediately. This also seems to be true for NaN. The better solution (imo) would be to throw an error, but I assume we can't due to backwards compatibility.

replies(6): >>41881042 #>>41881074 #>>41881774 #>>41882110 #>>41884470 #>>41884957 #

swatcoder ◴[18 Oct 24 17:48 UTC] No.41881774[source]▶

>>41880898 #

That's just terrible input validation and has nothing to do with setTimeout.

If your code would misbehave outside a certain range of values and you're input might span a larger range, you should be checking your input against the range that's valid. Your sample code simply doesn't do that, and that's why there's a bug.

That the bug happens to involve a timer is irrelevant.

replies(3): >>41881907 #>>41885121 #>>41888700 #

ashkankiani ◴[19 Oct 24 02:13 UTC] No.41885121[source]▶

>>41881774 #

You are a bad programmer if you think silently doing the wrong thing is not a bug. The right thing to do with unexpected input as the setTimeout library author is to raise an exception.

replies(2): >>41885327 #>>41888753 #

1. balls187 ◴[19 Oct 24 16:25 UTC] No.41888753[source]▶

>>41885121 #

The wrong thing, or the undefined thing?

Feel free to make a proposal to ECMA.

↑