aquatic http: request from path: whitelist url keys for security

This way, the non-ddos-resistant hashmap hasher can be kept. Also improves performance, probably simply because less hashing work is done: time: [2.8050 us 2.8156 us 2.8274 us] change: [-22.940% -22.412% -21.916%] (p = 0.00 < 0.01) Performance has improved.
2026-03-31 17:55:36 +00:00 · 2020-07-19 13:44:16 +02:00 · 2020-07-19 13:44:16 +02:00 · 54e801c6a9
commit 54e801c6a9
parent 09d27d5075
6 changed files with 1017 additions and 1010 deletions
--- a/TODO.md
+++ b/TODO.md
@ -11,8 +11,6 @@
 ## aquatic_http
 * request parsing:
  * tests of main function and the various helper functions
-  * hashmap needs ddos protecting hash function, or keys could be checked
-    against list before insertion
  * deserialize 20 bytes: possibly rewrite (just check length of underlying
    bytes == 20 and then copy them), also maybe remove String from map for
    these cases too
--- a/aquatic_http/src/lib/protocol/request.rs
+++ b/aquatic_http/src/lib/protocol/request.rs
@ -167,12 +167,21 @@ impl Request {
            let value = query_string.get(equal_sign_index + 1..segment_end)
                .with_context(|| format!("no value at {}..{}", equal_sign_index + 1, segment_end))?;
            
-            let value = Self::urldecode_memchr(value)?;
+            // whitelist keys to avoid having to use ddos-resistant hashmap
+            match key {
+                "info_hash" => {
+                    let value = Self::urldecode_memchr(value)?;

-            if key == "info_hash" {
-                info_hashes.push(value);
-            } else {
-                data.insert(key, value);
+                    info_hashes.push(value);
+                },
+                "peer_id" | "port" | "left" | "event" | "compact" | "numwant" | "key" => {
+                    let value = Self::urldecode_memchr(value)?;
+
+                    data.insert(key, value);
+                },
+                k => {
+                    ::log::info!("ignored unrecognized key: {}", k)
+                }
            }

            if segment_end == query_string.len(){
--- a/aquatic_http/target/criterion/request-from-path/latest/estimates.json
+++ b/aquatic_http/target/criterion/request-from-path/latest/estimates.json
@ -1 +1 @@
-{"mean":{"confidence_interval":{"confidence_level":0.95,"lower_bound":3620.223185445427,"upper_bound":3660.1054580320942},"point_estimate":3639.1705234625256,"standard_error":10.23030590161961},"median":{"confidence_interval":{"confidence_level":0.95,"lower_bound":3573.248635351063,"upper_bound":3590.1493227124265},"point_estimate":3581.371033648157,"standard_error":4.667798258726669},"median_abs_dev":{"confidence_interval":{"confidence_level":0.95,"lower_bound":97.9344093806613,"upper_bound":119.75600340036665},"point_estimate":107.24540589334634,"standard_error":5.4808042142175495},"slope":{"confidence_interval":{"confidence_level":0.95,"lower_bound":3619.5284724763083,"upper_bound":3656.7793470824513},"point_estimate":3637.3029331473836,"standard_error":9.48013840981128},"std_dev":{"confidence_interval":{"confidence_level":0.95,"lower_bound":247.96259922399872,"upper_bound":395.99450743999654},"point_estimate":322.5988272216282,"standard_error":37.832790227752945}}
+{"mean":{"confidence_interval":{"confidence_level":0.95,"lower_bound":2813.0057190996495,"upper_bound":2835.0971444734805},"point_estimate":2823.5630570532094,"standard_error":5.60999731355646},"median":{"confidence_interval":{"confidence_level":0.95,"lower_bound":2781.583086146614,"upper_bound":2798.7822350926263},"point_estimate":2790.3154531476994,"standard_error":4.287304236535639},"median_abs_dev":{"confidence_interval":{"confidence_level":0.95,"lower_bound":80.18917995973909,"upper_bound":97.47337305052561},"point_estimate":88.82164587342986,"standard_error":4.385899559662111},"slope":{"confidence_interval":{"confidence_level":0.95,"lower_bound":2805.0369153378406,"upper_bound":2827.3641695562396},"point_estimate":2815.621225429684,"standard_error":5.696158165859643},"std_dev":{"confidence_interval":{"confidence_level":0.95,"lower_bound":138.70894509735032,"upper_bound":221.75787184542193},"point_estimate":177.57952341503912,"standard_error":21.529316188103856}}
--- a/aquatic_http/target/criterion/request-from-path/latest/raw.csv
+++ b/aquatic_http/target/criterion/request-from-path/latest/raw.csv
--- a/aquatic_http/target/criterion/request-from-path/latest/sample.json
+++ b/aquatic_http/target/criterion/request-from-path/latest/sample.json
--- a/aquatic_http/target/criterion/request-from-path/latest/tukey.json
+++ b/aquatic_http/target/criterion/request-from-path/latest/tukey.json
@ -1 +1 @@
-[3073.4575890843375,3293.348255296047,3879.7233651939387,4099.614031405648]
+[2329.596058483846,2533.3581761736277,3076.7238233463795,3280.4859410361614]