Skip to content

Harden InputHandler Against Event Flooding and Oversized Payload Attacks (Add Rate Limiting & Input Safeguards)#87

Open
aniket866 wants to merge 4 commits intoAOSSIE-Org:mainfrom
aniket866:fixing-input-validation
Open

Harden InputHandler Against Event Flooding and Oversized Payload Attacks (Add Rate Limiting & Input Safeguards)#87
aniket866 wants to merge 4 commits intoAOSSIE-Org:mainfrom
aniket866:fixing-input-validation

Conversation

@aniket866
Copy link
Contributor

@aniket866 aniket866 commented Feb 14, 2026
edited by coderabbitai bot
Loading

Addressed Issues:

Closes # 28

Why these changes are important

If a client keeps sending mouse move or scroll events very fast in a loop, the server handles all of them without limits. This can overload the system and make the Mac freeze or become very slow. Also, if someone sends a very large text message, it can use too much memory and crash the server.

fixed InputHandler.ts with changes to implement input validation (text length, coordinate bounds) and rate limiting (throttling) for high-frequency events.

Changes Applied:

Rate Limiting: Added a lastEventTime timestamp and a check at the beginning of handleMessage to throttle move and scroll events to approximately 60 FPS (~16ms).

Input Sanitation: Added a check to truncate msg.text to 500 characters.

Coordinate Validation: Added clamping for msg.dx and msg.dy to ensure they stay within a sane range (+/- 2000 pixels) before processing.

Checklist

  • My PR addresses a single issue, fixes a single bug or makes a single improvement.
  • My code follows the project's code style and conventions
  • If applicable, I have made corresponding changes or additions to the documentation
  • If applicable, I have made corresponding changes or additions to tests
  • My changes generate no new warnings or errors
  • I have joined the Discord server and I will share a link to this PR with the project maintainers there
  • I have read the Contribution Guidelines
  • Once I submit my PR, CodeRabbit AI will automatically review it and I will address CodeRabbit's comments.

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

@imxade Please review this , can be merged ,let me know if any changes required

Thankyou

Summary by CodeRabbit

  • Bug Fixes

    • Implemented input validation to sanitize incoming data and prevent invalid values from affecting the application.

  • Performance

    • Added event throttling to reduce processing overhead and improve responsiveness for high-frequency user interactions.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 14, 2026
edited
Loading

Warning

Rate limit exceeded

@aniket866 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 33 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📝 Walkthrough

Walkthrough

Input validation and throttling enhancements added to InputHandler. Text messages capped at 500 characters, movement/scroll coordinates clamped to [-2000, 2000] range, and high-frequency move/scroll events throttled to ~60fps using a new lastEventTime field.

Changes

Cohort / File(s) Summary
Input Validation & Throttling
src/server/InputHandler.ts		 Added lastEventTime private field and input sanitization in handleMessage: text length capped at 500 characters, dx/dy coordinates clamped to [-2000, 2000], and move/scroll events throttled to 16ms intervals (~60fps).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

Poem

🐰 Hop, hop! Input flows with care,
Capped at five hundred, tame and fair,
Coordinates dance in bounded space,
Throttled frames set the pace,
Sixty times per second's grace!

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fixing-input-validation' directly relates to the main changes in the PR, which add input validation including text truncation and coordinate clamping in the InputHandler.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection ✅ Passed ✅ No merge conflicts detected when merging into main

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@aniket866 aniket866 changed the title fixing-input-validation Harden InputHandler Against Event Flooding and Oversized Payload Attacks (Add Rate Limiting & Input Safeguards) Feb 14, 2026
coderabbitai[bot]
coderabbitai bot reviewed Feb 14, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Fix all issues with AI agents 
In `@src/server/InputHandler.ts`:
- Around line 30-32: The current clamping using MAX_COORD on msg.dx/msg.dy
allows NaN to pass through because Math.max/Math.min return NaN for non-numeric
inputs; update the InputHandler logic that mutates msg.dx and msg.dy to first
validate values with Number.isFinite or typeof === 'number' before clamping
(MAX_COORD), and if invalid either discard/normalize to 0 or skip assigning so
downstream calls like mouse.setPosition don't receive NaN; ensure you update the
branches that handle msg.dx and msg.dy accordingly.
- Around line 34-41: The current leading-edge throttle in InputHandler (using
lastEventTime and checking msg.type === 'move' || msg.type === 'scroll') drops
the trailing event and shares one timestamp across move and scroll; change it to
a per-event-type trailing-edge throttle: replace the single lastEventTime with
separate state (e.g., lastMoveEventTime, lastScrollEventTime and
pendingMoveEvent, pendingScrollEvent) and on a rapid burst, let the first event
go through immediately but if subsequent events are skipped schedule the last
skipped event via setTimeout (~16ms) to fire after the window expires; ensure
the dispatch logic references msg.type to select the correct timestamp/pending
slot so move and scroll throttling are independent.

aniket866 and others added 3 commits February 15, 2026 01:45
@aniket866 @coderabbitai
Code rabbit follow up
47c06d4 
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@aniket866
Code rabbit follow-up
26dc7ff
@aniket866
code rabbit suggestions
77bb691
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aniket866