←back to thread

Denial of service and source code exposure in React Server Components

(react.dev)
298 points sangeeth96 | 6 comments | 11 Dec 25 20:46 UTC | HN request time: 0.419s | source | bottom
1. dizlexic ◴[12 Dec 25 03:46 UTC] No.46240671[source]
I'm not going to let go my argument with Dan Abramov on x 3 years ago where he held up rsc as an amazing feature and i told him over and over he was making a foot gun. tahdah!

I'm a nobody PHP dev. He's a brilliant developer. I can't understand why he couldn't see this coming.

replies(5): >>46240967 #>>46241390 #>>46241865 #>>46242231 #>>46242388 #
2. peacebeard ◴[12 Dec 25 04:48 UTC] No.46240967[source]
You might be more brilliant than you think.
3. danabramov ◴[12 Dec 25 06:23 UTC] No.46241390[source]
For what it’s worth, I’ve just built an app for myself with RSC, and I’m still a huge fan of this way of building and structuring web software.

I agree I underestimated the likelihood of bugs like this in the protocol, though that’s different from most discussions I’ve had about RSC (where concerns were about user code). The protocol itself has a fairly limited surface area (the serializer and deserializer are a few kloc each), and that’s where all of the exploits so far have concentrated.

Vulnerabilities are frustrating, and this seems to be the first time the protocol is getting a very close look from the security community. I wish this was something the team had done proactively. We’ll probably hear more from the team after things stabilize a bit.

4. locallost ◴[12 Dec 25 07:54 UTC] No.46241865[source]
I'm not defending React and this feature, and I also don't use it, but when making a statement like that the odds are stacked in your favor. It's much more likely that something's a bad idea than a good idea, just as a baseball player will at best fail just 65-70% of the time at the plate. Saying for every little thing that it's a bad idea will make you right most of the time.

But sometimes, occasionally, a moonshot idea becomes a home run. That's why I dislike cynicism and grizzled veterans for whom nothing will ever work.

5. jdkoeck ◴[12 Dec 25 09:03 UTC] No.46242231[source]
A tale as old as time: hubris. A successful system is destined to either stop growing or morph into a monstrosity by taking on too many responsibilities. It's hard to know when to stop.

React lost me when it stopped being a rendering library and became a "runtime" instead. What do you know, when a runtime starts collapsing rendering, data fetching, caching, authorization boundaries, server and client into a single abstraction, the blast radius of any mistake becomes enormous.

6. hu3 ◴[12 Dec 25 09:29 UTC] No.46242388[source]
I never saw brilliance in his contributions. Specially as React keeps being duct-taped.

Making complex things complex is easy.

Vue on the other hand is just brilliant. No wonder it's creator, Evan You went on to also create Vite. A creation so superior that it couldn't be confined to Vue and React community adopted it.

https://evanyou.me