From 23036ca0aa1d8854a50265f7e341daeb281711e2 Mon Sep 17 00:00:00 2001
From: hippoz <paperplanelive@gmail.com>
Date: Wed, 13 Oct 2021 17:51:05 +0300
Subject: [PATCH] feat: limit gateway payload size

---
 api/v2/gateway/index.js | 9 +++++++--
 config.js               | 1 +
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/api/v2/gateway/index.js b/api/v2/gateway/index.js
index f887abe..ea60640 100644
--- a/api/v2/gateway/index.js
+++ b/api/v2/gateway/index.js
@@ -9,6 +9,7 @@ const Channel = require("../../../models/Channel");
 const Message = require("../../../models/Message");
 const { parseMessage, packet } = require("./messageparser");
 const { checkToken } = require("../../../common/auth/authfunctions");
+const config = require("../../../config");
 
 const wsCloseCodes = {
     PAYLOAD_ERROR: [4001, "Error while handling payload"],
@@ -19,7 +20,8 @@ const wsCloseCodes = {
     NOT_AUTHORIZED: [4006, "Not authorized"],
     FLOODING: [4007, "Flooding"],
     NO_PING: [4008, "No ping"],
-    UNSUPPORTED_ATTRIBUTE: [4009, "Unsupported attribute."],
+    UNSUPPORTED_ATTRIBUTE: [4009, "Unsupported attribute"],
+    ILLEGAL_PAYLOAD_SIZE: [4010, "Illegal payload size"],
 };
 
 const attributes = {
@@ -287,7 +289,10 @@ class GatewayServer {
             ws.session = session;
             ws.on("message", async (data, isBinary) => {
                 try {
-                    if (isBinary || !ws.session) return ws.close(wsCloseCodes.PAYLOAD_ERROR[0], wsCloseCodes.PAYLOAD_ERROR[1]);
+                    if (isBinary || !ws.session)
+                        return ws.close(wsCloseCodes.PAYLOAD_ERROR[0], wsCloseCodes.PAYLOAD_ERROR[1]);
+                    if (data.byteLength > config.gatewayMaxPayloadBytes)
+                        return ws.close(wsCloseCodes.ILLEGAL_PAYLOAD_SIZE[0], wsCloseCodes.ILLEGAL_PAYLOAD_SIZE[0]);
                     const status = await this.handler.handleMessage(ws.session, parseMessage(data.toString()));
                     if (status && status.error) {
                         return ws.close(status.error[0], status.error[1]);
diff --git a/config.js b/config.js
index dcc8b79..06dd567 100755
--- a/config.js
+++ b/config.js
@@ -37,6 +37,7 @@ module.exports = {
     tokenExpiresIn: "8h",
     gatewayPingInterval: 15000,
     gatewayPingCheckInterval: 4500,
+    gatewayMaxPayloadBytes: 4096,
     clientFacingPingInterval: 14750,
     bcryptRounds: 10,
     experiments: {