pad to avoid oracle attacks on /api/known_instances

2019-03-15 18:29:55 +01:00 · 2019-03-15 18:29:55 +01:00 · ec10d15217
parent 8cca6c2fe3
commit ec10d15217
1 changed files with 5 additions and 0 deletions
--- a/routes/api.py
+++ b/routes/api.py
@ -4,6 +4,7 @@ from flask import jsonify, redirect, make_response, request, Response
 from model import Account
 import libforget.settings
 import libforget.json
+import random

@app.route('/api/health_check')
 def health_check():
@ -68,6 +69,10 @@ def known_instances():
        if not known:
            return Response('[]', 404, mimetype='application/json')

+        # pad to avoid oracle attacks
+        for _ in range(random.randint(0, 1000)):
+                known += random.choice((' ', '\t', '\n'))
+
        return Response(known, mimetype='application/json')

    elif request.method == 'DELETE':