Add continuation limit.

Author: ioquatix

lib/protocol/http2/continuation_frame.rb

@@ -9,6 +9,9 @@ module Protocol
 	module HTTP2
 		# Module for frames that can be continued with CONTINUATION frames.
 		module Continued
+			# @constant [Integer] The maximum number of continuation frames to read to prevent resource exhaustion.
+			LIMIT = 8
+			
 			# Initialize a continuable frame.
 			# @parameter arguments [Array] Arguments passed to parent constructor.
 			def initialize(*)
@@ -30,12 +33,20 @@ def end_headers?
 			end
 
 			# Read the frame and any continuation frames from the stream.
+			#
+			# There is an upper limit to the number of continuation frames that can be read to prevent resource exhaustion. If the limit is 0, only one frame will be read (the initial frame). Otherwise, the limit decrements with each continuation frame read.
+			#
 			# @parameter stream [IO] The stream to read from.
 			# @parameter maximum_frame_size [Integer] Maximum allowed frame size.
-			def read(stream, maximum_frame_size)
-				super
+			# @parameter limit [Integer] The maximum number of continuation frames to read.
+			def read(stream, maximum_frame_size, limit = LIMIT)
+				super(stream, maximum_frame_size)
 
 				unless end_headers?
+					if limit.zero?
+						raise ProtocolError, "Too many continuation frames!"
+					end
+					
 					continuation = ContinuationFrame.new
 					continuation.read_header(stream)
 
@@ -48,7 +59,7 @@ def read(stream, maximum_frame_size)
 						raise ProtocolError, "Invalid stream id: #{continuation.stream_id} for continuation of stream id: #{@stream_id}!"
 					end
 
-					continuation.read(stream, maximum_frame_size)
+					continuation.read(stream, maximum_frame_size, limit - 1)
 
 					@continuation = continuation
 				end
@@ -112,6 +123,10 @@ class ContinuationFrame < Frame
 
 			TYPE = 0x9
 
+			def read(stream, maximum_frame_size, limit = 8)
+				super
+			end
+			
 			# This is only invoked if the continuation is received out of the normal flow.
 			def apply(connection)
 				connection.receive_continuation(self)

releases.md

@@ -1,5 +1,9 @@
 # Releases
 
+## Unreleased
+
+  - Introduce a limit to the number of CONTINUATION frames that can be read to prevent resource exhaustion. The default limit is 8 continuation frames, which means a total of 9 frames (1 initial + 8 continuation). This limit can be adjusted by passing a different value to the `limit` parameter in the `Continued.read` method. Setting the limit to 0 will only read the initial frame without any continuation frames. In order to change the default, you can redefine the `LIMIT` constant in the `Protocol::HTTP2::Continued` module, OR you can pass a different frame class to the framer.
+
 ## v0.22.0
 
 ### Added Priority Update Frame and Stream Priority

test/protocol/http2/continuation_frame.rb

@@ -62,4 +62,43 @@ def before
 			expect(frame.inspect).to be =~ /stream_id=0 flags=0 length=0/
 		end
 	end
+	
+	with "read(limit)" do
+		it "reads a single frame" do
+			frame.pack data
+			
+			buffer = StringIO.new
+			frame.write(buffer)
+			buffer.rewind
+			
+			new_frame = subject.new
+			new_frame.read(buffer, 128, 0)
+			expect(new_frame.unpack).to be == data
+		end
+		
+		it "raises if too many continuation frames" do
+			frame.pack data, maximum_size: 2
+			
+			buffer = StringIO.new
+			frame.write(buffer)
+			buffer.rewind
+			
+			expect do
+				new_frame = subject.new
+				new_frame.read(buffer, 128, 1)
+			end.to raise_exception(Protocol::HTTP2::ProtocolError, message: be =~ /Too many continuation frames!/)
+		end
+		
+		it "reads multiple continuation frames" do
+			frame.pack data, maximum_size: 2
+			
+			buffer = StringIO.new
+			frame.write(buffer)
+			buffer.rewind
+			
+			new_frame = subject.new
+			new_frame.read(buffer, 128, 8)
+			expect(new_frame.unpack).to be == data
+		end
+	end
 end