ponylang / http_server Goto Github PK

After #52 has been merged

The workflow release.yml is referencing action actions/checkout using references v1. However this reference is missing the commit a6747255bd19d7a757dbdda8c654a9f84db19839 which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

Dear maintainers,

It would seem that, when ran with the --ponynoblock flag, the example http server leaks.

Background: When running into a cycle detector segfault [0] by benchmarking the sample server, @SeanTAllen suggested that cycle detector might me turned off.

With the cycle detector off, when benchmarking, the process just got OOM killed.

I don't think that was a previously mentioned issue so I'm raising!

Thanks,
Marc

[0] ponylang/ponyc#2977 (comment)

RFC 2068 states:

When it connects to an origin server, an HTTP client MAY send the
   Keep-Alive connection-token in addition to the Persist connection-
   token:

          Connection: Keep-Alive

   An HTTP/1.0 server would then respond with the Keep-Alive connection
   token and the client may proceed with an HTTP/1.0 (or Keep-Alive)
   persistent connection.

Currently users need to check for the Request version to be HTTP10 and for the right Connection header and then set the response header accordingly. This should not be the users responsibility. But right now, especially in the ResponseBuilder it is not possible to prepopulate it with headers or any other values based on the request and maybe some server settings. When the Response is passed to the Sessions it is too late as by then the Response is val not mutable anymore. With the ResponseBuilder we only pass the response data as bytes over, also no possibility to change something here. The best way would be to initialize the response builder with HTTP version, Status Code and the given Request, so it can incorporate the logic necessary for handling HTTP/1.0 keep alive.

The workflow announce-a-release.yml is referencing action actions/checkout using references v1. However this reference is missing the commit a6747255bd19d7a757dbdda8c654a9f84db19839 which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

Detected in Theodus/jennet#18 .

Give a simple example for:

• starting a server
• handling requests
• building responses

also link to the examples.

The workflow pr.yml is referencing action actions/checkout using references v1. However this reference is missing the commit a6747255bd19d7a757dbdda8c654a9f84db19839 which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

File: examples/httpserver/httpserver.pony
git: e1b15408fdd7ebdf76b9cf4107f702ecc15a80b8

On macOS 10.15.7, compiled using brew install libressl and corral run -- ponyc -Dopenssl_0.9.0

$ ponyup show
ponyup-nightly-20201207-x86_64-darwin
ponyc-release-0.38.1-x86_64-darwin *
corral-release-0.4.0-x86_64-darwin *

A curl request worked as expected:

curl -i -H 'content-type: text/plain' -d 'hello' 'http://localhost:50000/'
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 130

POST / HTTP/1.1
Accept: */*
Content-Length: 5
content-type: text/plain
Host: localhost:50000
User-Agent: curl/7.64.1

hello$ 

The $ is the shell prompt as the body (correctly) did not have a newline.

Trying to run something similar using Apache Bench (ab) with a file name hello.txt containing 6 bytes (hello + newline):

$ ab -T 'text/plain' -p hello.txt 'http://localhost:50000/'
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)...

blocks the client for about 30 seconds then ends after appending to the last line on screen:

Benchmarking localhost (be patient)...apr_pollset_poll: The timeout specified has expired (70007)

Running again with verbose output:

$ ab -v 2 -T 'text/plain' -p hello.txt 'http://localhost:50000/'
This is ApacheBench, Version 2.3 <$Revision: 1843412 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/

Benchmarking localhost (be patient)...INFO: POST header ==
---
POST / HTTP/1.0
Content-length: 6
Content-type: text/plain
Host: localhost:50000
User-Agent: ApacheBench/2.3
Accept: */*


---
LOG: header received:
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 135

POST / HTTP/1.0
Accept: */*
Content-length: 6
Content-type: text/plain
Host: localhost:50000
User-Agent: ApacheBench/2.3

hello

blocks there for about 30 seconds, then finally prints the following and exits:

apr_pollset_poll: The timeout specified has expired (70007)

Wasn't ever successful running ab with multiple requests e.g. -n 100 or concurrency -c 10.
Even tried -k to enable keepalive but still had the client blocking/waiting.

Need to rev

• library documentation action
• http version as it doesn't work with forthcoming pony 0.47.0

https://github.com/ponylang/main-actor-documentation-action