Dealing with DoS when using a HashMap

I’ve noticed that, by default, Zig hash map doesn’t depend on random number generation, and instantiates a particular hash function with a fixed seed. It seems to me that this is potentially vulnurable to a DoS attack, when the attacker can craft hash map entries which force collisions.

In particular, it seems that recently added http server has this problem when dealing with headers:

Am I correct that the code as is is vulnerable to DoS? That is, that a malicious client can send a sequence of headers which would require O(N^2) CPU time to process?

What would be the correct and idiomatic way to fix that?

1 Like