-
-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Re-add compression to BwdServer #3664
base: main
Are you sure you want to change the base?
Conversation
8401daa
to
dc7e5af
Compare
Can you explain this a bit more? I'm not super familiar with lldb and why we'd want to avoid it. |
Expecto has its own |
6b78517
to
c26c52f
Compare
works with ocaml, which compresses it
c26c52f
to
f6bb2e5
Compare
I've gotten stuck here, and having a few issues: issue oneIf I run
with this
It's always with that test, never any other test. And it doesn't fail if I run just the I did some debugging on this and I determined that this is happening between the dark server sending a response and the test suite receiving it. So probably in the compression middleware? What's happening AFAICT is that the response is being truncated. It starts the same as expected but then truncated unexpectedly after a number of bytes (possibly the first transfer-encoding chunk?) It may be necessary to report it upstream and wait til it gets fixed. issue 2I'm a little sketch about compressing every bwdserver response. Maybe I'm wrong about that, I guess it just feels wrong to compress everything. To handle this I started issue 3I think we need more tests, probably at least one that actually does compression for each of the |
Still processing this, but I found this to be a worthwhile read on the topic of "compressing every bwdserver response" - mostly, the last bit. |
here's a quick dump of public F# repos using For example, web frameworks like Saturn and Falco are public, and potentially have tests around this. Edit: worth a shot, but reviewed this and didn't find anything worthwhile. |
We might also say that we don't want https for bwdserver because of BREACH: http://www.breachattack.com/ My read is that compressing before encrypting will allow attackers to guess some contents in some cases. Since users will have programs that support those use cases (such as csrf |
Of course, this might be up to the user. |
At the very least, I'm not convinced that compression is a blocker for go-live of BwdServer, given the risks to weigh there. |
Regarding
By what - our testing set-up, or something earlier? (conclusion might not be there yet, suspicion fine) edit: nevermind, saw some details in your earlier comments. |
Somehow, |
Regarding "I'm a little sketch about compressing every bwdserver response," using |
Pretty sure that's the default. It's more that it doesn't add much to a 5 bytes response. |
@pbiggar I'm curious if you've had any thoughts on this recently? |
Yeah, I had a think about the security implications. From reading around, the general consensus is that compression is important and BREACH requires enough convergence of circumstances that it's ok to require customers to provide the mitigations should they choose (such as adding a random amount of whitespace to their JSON responses, and being careful where they put CSRFs and user replaying data the user provides). In the future, we could choose to add various mitigations for customers if we wanted. So let's enable it for now, at Fastest. |
This could be taken on by a motivated contributor. There have been a lot of changes since then so it will probably be easier to port the functionality than to merge/rebase. The only thing remaining to make this PR work was testing, and we've since added testing features to allow us to test using binary files, so this should be easy now. |
This adds gzip (and also brotli!) to the BwdServer backend. That was pretty trivial.
However, testing it was not easy. I tried some different strategies. The first was just to add the zipped binary data that we expect. However, F# and OCaml produced different binary data (expected, since gzip can run at different settings), but that made testing hard.
So then I thought let's just decompress the data and check it's the expected output (which means we're putting the expected output in the test instead of the raw bytes). However, I ran into some problems decoding the bytes. The bytes are a set of
transfer-encoding: chunked
bytes. This means each chunk is has a header like this:7\r\n
and then 7 bytes (or whatever). It's supposed to end in0\r\n
but asp.net doesn't provide the final chunk header. Instead, I think we're supposed to use the closing of the connection to interpret that the stream is done.This seems to work in chrome, but doesn't work with the library I added. I was on the way to changing the test to try fetching the body using the .NET HttpClient library (only in the event of
content-encoding: gzip
+transfer-encoding:chunked
). I started refactoring to allow that.Another option might be to just add the
0\r\n
at the end of the bytes if they aren't already there. I suspect that would allow the current solution to work.The tests are in a half-finished state, and do not represent the right input or output. The long tests are supposed to have enough output to trigger the nginx gzip (which kicks in at 1024 bytes). I don't know when the asp.net gzip kicks in.
Note that the nginx we use doesn't support brotli, so that might complicate testing (asp.net does). Perhaps we only support gzip for now and enable brotli later? Or just do an FSHARPONLY test.