From b7e88cb90461e239ac383b48e7e376374ef57642 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 14 Feb 2021 19:04:29 +0000
Subject: [PATCH] security: New setting for Socket.IO `maxHttpBufferSize`

---
 CHANGELOG.md                       |  7 ++++---
 settings.json.docker               | 11 +++++++++++
 settings.json.template             | 11 +++++++++++
 src/node/hooks/express/socketio.js |  2 +-
 src/node/utils/Settings.js         | 12 ++++++++++++
 5 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bdbb5fcf2..6ee4348f5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,9 +9,10 @@
 * Dependencies are now installed with the `--no-optional` flag to speed
   installation. Optional dependencies such as `sqlite3` must now be manually
   installed (e.g., `(cd src && npm i sqlite3)`).
-* Socket.IO messages are now limited to 1MiB to make denial of service attacks
-  more difficult. This may cause issues with plugins that send large messages,
-  e.g., `ep_image_upload`.
+* Socket.IO messages are now limited to 10K bytes to make denial of service
+  attacks more difficult. This may cause issues when pasting large amounts of
+  text or with plugins that send large messages (e.g., `ep_image_upload`). You
+  can change the limit via `settings.json`; see `socketIo.maxHttpBufferSize`.
 * The top-level `package.json` file, added in v1.8.7, has been removed due to
   problematic npm behavior. Whenever you install a plugin you will see the
   following benign warnings that can be safely ignored:
diff --git a/settings.json.docker b/settings.json.docker
index de9cc3245..7bb2917c2 100644
--- a/settings.json.docker
+++ b/settings.json.docker
@@ -445,6 +445,17 @@
    */
   "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 
+  "socketIo": {
+    /*
+     * Maximum permitted client message size (in bytes). All messages from
+     * clients that are larger than this will be rejected. Large values make it
+     * possible to paste large amounts of text, and plugins may require a larger
+     * value to work properly, but increasing the value increases susceptibility
+     * to denial of service attacks (malicious clients can exhaust memory).
+     */
+    "maxHttpBufferSize": 10000
+  },
+
   /*
    * Allow Load Testing tools to hit the Etherpad Instance.
    *
diff --git a/settings.json.template b/settings.json.template
index d78035ad4..b8722fbdc 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -450,6 +450,17 @@
    */
   "socketTransportProtocols" : ["xhr-polling", "jsonp-polling", "htmlfile"],
 
+  "socketIo": {
+    /*
+     * Maximum permitted client message size (in bytes). All messages from
+     * clients that are larger than this will be rejected. Large values make it
+     * possible to paste large amounts of text, and plugins may require a larger
+     * value to work properly, but increasing the value increases susceptibility
+     * to denial of service attacks (malicious clients can exhaust memory).
+     */
+    "maxHttpBufferSize": 10000
+  },
+
   /*
    * Allow Load Testing tools to hit the Etherpad Instance.
    *
diff --git a/src/node/hooks/express/socketio.js b/src/node/hooks/express/socketio.js
index dd73e1cfa..47a657747 100644
--- a/src/node/hooks/express/socketio.js
+++ b/src/node/hooks/express/socketio.js
@@ -74,7 +74,7 @@ exports.expressCreateServer = (hookName, args, cb) => {
      *   https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
      */
     cookie: false,
-    maxHttpBufferSize: 10E3,
+    maxHttpBufferSize: settings.socketIo.maxHttpBufferSize,
   });
 
   io.on('connect', (socket) => {
diff --git a/src/node/utils/Settings.js b/src/node/utils/Settings.js
index 0be086090..0da117a59 100644
--- a/src/node/utils/Settings.js
+++ b/src/node/utils/Settings.js
@@ -104,6 +104,18 @@ exports.ssl = false;
  **/
 exports.socketTransportProtocols = ['xhr-polling', 'jsonp-polling', 'htmlfile'];
 
+exports.socketIo = {
+  /**
+   * Maximum permitted client message size (in bytes).
+   *
+   * All messages from clients that are larger than this will be rejected. Large values make it
+   * possible to paste large amounts of text, and plugins may require a larger value to work
+   * properly, but increasing the value increases susceptibility to denial of service attacks
+   * (malicious clients can exhaust memory).
+   */
+  maxHttpBufferSize: 10000,
+};
+
 /*
  * The Type of the database
  */