Its not “bypassing” if you have to write the code used to setup the timer to do it.
I suppose it implies the existence of a class of potential problems if an application (1) accepts user input for timer delays, (2) requires a certain minimum delay, (3) only checks that the entered amount is >= the minimum without considering overflow behavior. But, since this behavior is well-documented (the MDN page on setTimeout covers it), it doesn't seem like any kind of notable discovery.
Also the example of bypassing this is rather contrived:
1) bypassing some timer in an API service requires the API to accept the string „Infinity“ and convert it to the JavaScript value Infinity - which is highly unlikely. Instead, the value would just fail the numeric validation.
2) bypassing some timer in client-side code by injecting Infinity seems overly complex - if you alter client-side code you might aswell just remove the validation instead of abusing edge cases of the language runtime.
If a NodeJS application accepts a value from the client application, but validates against an early call (e.g. min 25 mins from now) the Infinity value can bypass that validation.
Because it's a relatively unknown side effect, most validations probably wouldn't check for Infinity.
Plus although Infinity pops off the timer at 0 seconds, a validation based on millisecond math would fail because Infinity > 25 minutes in milliseconds.
dragonwriter|4 years ago
I suppose it implies the existence of a class of potential problems if an application (1) accepts user input for timer delays, (2) requires a certain minimum delay, (3) only checks that the entered amount is >= the minimum without considering overflow behavior. But, since this behavior is well-documented (the MDN page on setTimeout covers it), it doesn't seem like any kind of notable discovery.
exevp|4 years ago
1) bypassing some timer in an API service requires the API to accept the string „Infinity“ and convert it to the JavaScript value Infinity - which is highly unlikely. Instead, the value would just fail the numeric validation.
2) bypassing some timer in client-side code by injecting Infinity seems overly complex - if you alter client-side code you might aswell just remove the validation instead of abusing edge cases of the language runtime.
himinlomax|4 years ago
CryoLogic|4 years ago
Because it's a relatively unknown side effect, most validations probably wouldn't check for Infinity.
Plus although Infinity pops off the timer at 0 seconds, a validation based on millisecond math would fail because Infinity > 25 minutes in milliseconds.
whoomp12342|4 years ago
zodiakzz|4 years ago