Validation, security and middleware

Thanks for taking the time to reply.

Ideally, client-side validation on top of Y.js only permits valid transactions. Assuming only malicious clients circumvent client-side validation, it will be OK if their client behavior will be impaired.

I’m using yrs – the Rust port – and the public API there is currently too limited to dig deeper.

Anyway, I’m surprised that this lack of validation is not an issue for more users.
As an example a malicious user could spam a ydoc with hidden data, e.g.

doc.transact(() => { doc.getText("hidden-data").insert(0, <incompressible garbage>)})

which would make all updates and future syncs larger, possibly escalating to a denial of service, if I understand correctly. A middleware or just some filtering function would be able to prevent the distribution of such updates.

1 Like