security: New setting for Socket.IO maxHttpBufferSize

src/node/hooks/express/socketio.js

@@ -74,7 +74,7 @@ exports.expressCreateServer = (hookName, args, cb) => {
      *   https://github.com/socketio/socket.io/issues/2276#issuecomment-147184662 (not totally true, actually, see above)
      */
     cookie: false,
-    maxHttpBufferSize: 10E3,
+    maxHttpBufferSize: settings.socketIo.maxHttpBufferSize,
   });
 
   io.on('connect', (socket) => {

src/node/utils/Settings.js

@@ -104,6 +104,18 @@ exports.ssl = false;
  **/
 exports.socketTransportProtocols = ['xhr-polling', 'jsonp-polling', 'htmlfile'];
 
+exports.socketIo = {
+  /**
+   * Maximum permitted client message size (in bytes).
+   *
+   * All messages from clients that are larger than this will be rejected. Large values make it
+   * possible to paste large amounts of text, and plugins may require a larger value to work
+   * properly, but increasing the value increases susceptibility to denial of service attacks
+   * (malicious clients can exhaust memory).
+   */
+  maxHttpBufferSize: 10000,
+};
+
 /*
  * The Type of the database
  */