-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RPC: don't cap page size in unsafe mode #6329
Conversation
actually belongs in a config file i guess, but this hard coded max creates weird behavior in downstream clis: regen-network/regen-ledger#272
Codecov Report
@@ Coverage Diff @@
## master #6329 +/- ##
==========================================
- Coverage 60.80% 60.77% -0.03%
==========================================
Files 282 282
Lines 26865 26865
==========================================
- Hits 16334 16326 -8
- Misses 8818 8836 +18
+ Partials 1713 1703 -10
|
Instead of changing the max value here, we should allow the maxPerPage to be overridden by what the user sets in the request. |
I thought that the
If the user can override it then we don't really need a max right? |
Agree here. Was trying to compromise, but clients should implement handling pagination |
agreed, but only when it is really needed... a hard coded limit of 100 seems way too low, |
I would agree, if the RPC wasn't such a large DOS vector. There a known issues with mutex contention that slows down nodes when the RPC is used. My take is, I want to avoid defaulting behavior that could expose a larger dos vector. Note: the SDK has the same default https://github.com/cosmos/cosmos-sdk/blob/master/types/query/pagination.go#L16. |
hmmmm. excellent point. perhaps the large pages could be allowed only from localhost, or otherwise configurable in a safe way. During the regen testnet, I ran an extra node just for data queries and stats calculations. It was not even exposed. In this case and other cases with other security measures in place to prevent DOS, this hard coded value is not cool. Perhaps this PR is far too simple and dangerous, but could you imagine to add a config option in the future? |
I think the best option, at least in the short term, may be to use the Line 398 in 3a69056
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
utACK
actually belongs in a config file i guess, but this hard coded max creates weird behavior in downstream clis:
regen-network/regen-ledger#272