If I use the http module of nodejs to make a simple http server, how much validation/checking do I have to do?

Does the module take care of security issues like malformed requests and requests with malicious header values? Does the module ensure that everything follows the http spec, or do I have to do a lot of checking to make sure that my server isn't easy to crash?

Edit: Let's say nodejs doesn't do any real validation, which I'm pretty sure is the case. What do I have to do to make sure my server isn't easily crashable?

What is a malicious header value? Node is low level, so a lot of things aren't checked. But you have to look at those things. But it isn't like someone can send "execute 0xFA894224" or something. The only holes it's likely to have are things like allowing malformed request (eg, maybe you might get request.location: "\*\*\* CHINAAA \*\*\*", forgetting to launch a socket close event, or throwing a JavaScript error and gracefully terminating.

You can always check yourself for these things, or use a try catch block, process.on, etc. Of course, it's not to say there might not be a buffer overflow or something somewhere, but it is unlikely considering node is built on top of v8, and many of the libraries are pure JavaScript

Edit: How to stop random crashes:

process.on('uncaughtException',function() {
 /* ignore error */
});

I've just had a discussion with my teammate about the location of user uploaded images in an image gallery. I would like a broader insight on the methods we suggest.

My teammate wrote a controller + action that calls file_get_contents on an image file placed in a folder that's not available for public browsing (i.e., outside public_html on the server), and echoes it via a header. This is secure, but since we use Zend Framework, it's also crawling slow - each call to the image controller costs us approx 500ms of lag due to the bootstrap's queries being executed. It's annoying since the picture gallery view displays over 20 images at the same time.

In short, the relevant code would be:

class ImageController extends Zend_Controller_Action {
    public function showAction () {
        $filename = addslashes($this->_getParam('filename'));
        if(!is_file($filename)) {
            $filename = APPLICATION_PATH.'/../public/img/nopicture.jpg';
        }
        $this->_helper->viewRenderer->setNoRender(true);
        $this->view->layout()->disableLayout();
        $img = file_get_contents($filename);
        header('Content-Type: image/jpeg');
        $modified = new Zend_Date(filemtime($filename));
        $this->getResponse()
             ->setHeader('Last-Modified',$modified->toString(Zend_Date::RFC_1123))
             ->setHeader('Content-Type', 'image/jpeg')
             ->setHeader('Expires', '', true)
             ->setHeader('Cache-Control', 'public', true)
             ->setHeader('Cache-Control', 'max-age=3800')
             ->setHeader('Pragma', '', true);
        echo $img;
    }
}

Then, in a view, we just call:

<img src="<?php echo $this->url(array('controller' => 'image', 'action' => 'show', 'filename' => PATH_TO_HIDDEN_LOCATION.'/filename.jpg')); ?>" />

I have a different approach: I prefer to keep the original images in a hidden location, but as soon as they are requested, copy them to a public location and provide a link to it (with an extra mechanism, run by cron, to wipe the public images directory every now and then in order not to waste space, and a robots.txt telling Google not to index the directory). The solution places files (a few at every given moment) in a publicly accessible directory (provided one knows the filename), but also requires only a view helper, thus not launching the bootstrap:

class Zend_View_Helper_ShowImage extends Zend_View_Helper_Abstract {
    public function showImage ($filename) {
        if (!file_exists(PUBLIC_PATH."/img/{$filename}")) {
            if (!copy(PATH_TO_HIDDEN_FILES."/{$filename}",PUBLIC_PATH."/img/{$filename}"))
                $url = PUBLIC_PATH.'/img/nopicture.jpg';
            else
                $url = PUBLIC_PATH."/img/{$filename}";
        } else {
            $url = PUBLIC_PATH."/img/{$filename}"
        }
        return "{$url}";
    }
}

With the aid of this helper, the call is very simple in the view:

<img src="<?php echo $this->showImage('filename.jpg'); ?>" />

Question: Does my approach pose a security threat, as my coleague states? What are the potential risks of this? And, most importantly, do the security threats, if any, outweigh the 10 seconds gain on page load?

In case it matters: we're working on a community portal with around 15K registered users, with the galleries being a very frequently used feature.

*The code I pasted is an edited, simplified version of what each of us has come up with - just to show the mechanics of both approaches.

I have a different approach: I prefer to keep the original images in a hidden location, but as soon as they are requested, copy them to a public location and provide a link to it

+1 for creativity.

Does my approach pose a security threat, as my coleague states? What are the potential risks of this? And, most importantly, do the security threats, if any, outweigh the 10 seconds gain on page load?

Sort of. Yes, if you have images only some people are allowed to see, and you're putting them into a publicly accessible directory, there is a change other people can see that image, which appears to be undesirable. I also don't think (might be wrong) that it will gain 10 seconds on a page load, as you'll have to copy the images, which is a rather intensive operation, more than using file_get_contents or readfile( ).

This is secure, but since we use Zend Framework, it's also crawling slow - each call to the image controller costs us approx 500ms of lag due to the bootstrap's queries being executed.

If I may suggest; nuke Zend Framework for this specific case. I'm using Zend Framework for a rather large website as well, so I know the bootstrap can take longer than you want. If you circumvent Zend Framework, opting for vanilla PHP, this would improve the performance significantly.

Also, use readfile( ), not file_get_contents( ). There's a big difference in that file_get_contents will load the whole file in memory before outputting, where readfile does this more efficiently.

I wrote some ASP.NET web services that use JSON encoding, a la:

[WebInvoke()]
[OperationContract]
public int SetInformation(int recordid, string data)
{
    return 42;
}

and the returned JSON is:

{"d": 42}

Why is the parameter named d? Can I control that? Say, to e?

For reference, a few similar questions I've finally been able to dig up:

• What does .d in JSON mean?
• How to change ASP.NET WebMethod's 'd' identifier in a JSON response, to a different name?
• Returning HTML from JSON webservice - what is the ".d" ?

This is a "security" feature that prevents the JSON from being returned from being able to be directly executed javascript inside an Eval statement. Or something very similar along these lines.

More information on this topic: http://encosia.com/a-breaking-change-between-versions-of-aspnet-ajax/ take a look at the section labeled Waiter, there’s a .d in my msg soup!

Hi guys and thanks for reading.

I'm working on an ajax portal and I need some advice. My client wants it fairly secure but doesn't want to deal with ssl. There is no ultra sensitive data to store so I'm doing a custom "handshake" when the page initializes.

Since every session I'm dealing with 2 new sets of asymetric key and some symetric one as well, I want to know how you guys would handle these keys. This is probably going to reside on a shared host and I've read everywhere that the session file can't really be trusted in that case...

Right now I'm storing some info in the session file pointing to the right keys, which are in a database. Everything works just fine as it is (well, I think :))... Now I want to delete the keys from the database when the user session ends, so I don't end up with tables filled with useless keys.

Even if I knew it is BAD, I tried an ajax call when closing the window/browser... this is indeed BAD and inconsistent, so this option is out of the way. I also thought about a cron job to erase every key dating more than a couple of days, but it kind of feels "unfinished" to me...

My question is: I'm wondering how does ssl handles it's keys? Where are they stored while the user session lasts? How do you guys deal/would deal with this?

Thanks

EDIT

Yep, I should have known that this question would lead to that.

I know that ssl would be the best option and it is to my own regret that I have coded my application. I'll talk some more to my client about it, but I have little hopes. If he still wants to go http, I won't risk to loose the contract to proove my point and I'll have an alternative to protect its uncensitive data (login info kinda, no credit card...).

Yes, "fairly secure" is appropriate since no system is completely secure. "Fairly secure" means that a wannabe hacker who just downloaded wireshark, or watched a video on youtube to do a man in the middle attack won't be able to get in. I would say that it is already a lot better than all the multi billions gaming companies who recently been put to shame by some teenagers.

The correct answer goes to Nasko who answered part of my question and made some obvious recommendation, without being cocky at that.

SSL generates symmetric key for each handshake it completes and stores it in memory (unless the session cache is written to disk).

That said, I would suggest to avoid doing your own crypto protocol, since you are bound to make a mistake. Even the best crypto people make mistakes, so I wouldn't recommend anyone doing it for the sake of doing it.

Figure out what the problems are that your client perceives with SSL and address those. This way you use standard technology that is proven to work and your customer is happy at the end.