jnshi
commented
9 years ago ObjectInputStream does not allow us control over the amount of information it reads. It would be possible however, to add an intermediate inputstream that keeps track of how many bytes were read and cuts it off at some point.
I don't think DoS attacks are within our scope. If we block off one easy attack against availability, there are several other easy attacks that we don't know how to defend against. The "free storage" problem is a good point. However there are so many services that give free storage already that I don't see why anyone would use this exploit (though that doesn't mean that nobody would).
This is a good reason to have logs for auditing... so that if anyone ever tried this it would be caught easily.
saguziel
We probably want to refuse (server side) a Blob which is too big. An adversary that is asking for a 100GB blob might be trying to exhaust our resources (maybe) or exploit our service to store unlimited data for free.
Not sure where/how it is appropriate to check. We probably do not want to deal with it now.