Tampermonkey user script offering an interface to perform pseudo-automatic searches of the FetLife.com user base filtered by age, sex, location, and role.
6
stars
2
forks
source link
Users can craft to heavy search queries on large datasets #59
On the 4,4 milioen row test dataset, it is possible to still create very slow queries. This should be prevented, as it also puts load on te server and facilitates abuse.
Category
BUG
Detailed Bug Report
Most users would not be affected by such heavy queries, UX expectations are that people would almost always enter a location, gender, age-range or role. This would in itself ensure people at least hit a index.
On the User side of things a Timeout would occur after (at time of writhing) 20 seconds. However this does not cancel the executed SQL query on the server side.
While it would always be possible to DOS a system if willingly, users should be prevented to enter index-less search queries. We can do this by enforcing the use of at least gender and age.
We can also prevent abuse by stacking such queries by limiting the number of concurrent connections per IP, how this could be done in practice is still up for debate.
Steps to Reproduce
Please enter the steps to reproduce the bug or behaviour:
Craft a search result that is not covered by indexes and has almost no results
Description
On the 4,4 milioen row test dataset, it is possible to still create very slow queries. This should be prevented, as it also puts load on te server and facilitates abuse.
Category
BUG
Detailed Bug Report
Most users would not be affected by such heavy queries, UX expectations are that people would almost always enter a location, gender, age-range or role. This would in itself ensure people at least hit a index.
On the User side of things a Timeout would occur after (at time of writhing) 20 seconds. However this does not cancel the executed SQL query on the server side.
While it would always be possible to DOS a system if willingly, users should be prevented to enter index-less search queries. We can do this by enforcing the use of at least gender and age.
We can also prevent abuse by stacking such queries by limiting the number of concurrent connections per IP, how this could be done in practice is still up for debate.
Steps to Reproduce
Please enter the steps to reproduce the bug or behaviour: