Skip to content

[Bug]: Missing Input Validation and Rate Limiting #28

New issue
New issue
Open
Open
[Bug]: Missing Input Validation and Rate Limiting#28
Labels
bugSomething isn't working
@DeveloperAmrit

Description

@DeveloperAmrit
DeveloperAmrit
opened on Feb 7, 2026

Bug Description

The InputHandler.ts processes incoming JSON messages directly without validation.

  • Rate Limiting: There is no throttling. A client can flood the server with thousands of mousemove events per second, potentially freezing the host UI or saturating the network.
  • Input Sanitation: There are no length checks on text type messages. A payload with a 50MB string could crash the server or the nut-js automation process.

Steps to Reproduce

  1. Connect to the WebSocket.
  2. Send a move or scroll event inside a while(true) loop from a script.
  3. Result: The host system may become unresponsive due to the flood of input interrupts.

Expected Behavior

  1. Validation: Ensure msg.text strings are truncated to a reasonable length (e.g., 500 chars). Ensure dx/dy values are within sane bounds.
  2. Throttling: Implement a basic leaky bucket or throttle mechanism on the server side to ignore input events if they exceed a certain threshold (e.g., >60 events per second).

Desktop Operating System

macOS (Apple Silicon)

Mobile Device (Client)

Vivo T3x 5G

Rein Version

3

Console Logs / Error Messages



Screenshots / Recordings


No response


Checklist


    

  •  I have searched for existing issues to avoid duplicates
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't working
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions