[GH-ISSUE #641] Feature request: Add option --allow-hash to allow/disallow file hashing #390

New Issue

zhus · 2026-04-08T16:52:33+03:00

zhus commented

2026-04-08 16:52:33 +03:00

Originally created by @TransparentLC on GitHub (Oct 27, 2025).
Original GitHub issue: https://github.com/sigoden/dufs/issues/641

Specific Demand

Hash calculation requires additional resources, and the larger the file size, the more time it takes.

If I use dufs to serve files in GBs (such as datasets, software installers, Ubuntu CD images), request file hashing concurrently will consume significant CPU resources and potentially enabling exploitation for denial-of-service attacks.

For example, the following command will end up a loadavg over 180 on my 16-cores server.

bombardier -c512 -d60s "http://example.com/2gb.bin?hash"

I believe file hashing is not a core function of a static file server. If I need a convenient way to verify files, serving a SHA256SUMS with the file might be a better approach. Therefore, I suggest making file hashing an optional configuration setting, which would also prevent the previously mentioned DoS attack.

Implement Suggestion

Add option --allow-hash in the CLI, environment variable and configuration file. If file hashing is not enabled, request with querystring param hash should serve file normally or return a 403 forbidden.

(I am happy to submit pull requests)

Regardless of whether this feature request will be accepted, if you are using a reverse proxy, you can also configure it to disable file hashing. An example of nginx:

location / {
    if ($args ~* "(^|&)hash(=|&|$)") {
        return 403 "File hashing is forbidden.";
    }
    proxy_pass ...;
}

Originally created by @TransparentLC on GitHub (Oct 27, 2025). Original GitHub issue: https://github.com/sigoden/dufs/issues/641 ## Specific Demand > Hash calculation requires additional resources, and the larger the file size, the more time it takes. If I use dufs to serve files in GBs (such as datasets, software installers, Ubuntu CD images), request file hashing concurrently will consume significant CPU resources and potentially enabling exploitation for denial-of-service attacks. For example, the following command will end up a loadavg over 180 on my 16-cores server. ```sh bombardier -c512 -d60s "http://example.com/2gb.bin?hash" ``` ![](https://github.com/user-attachments/assets/6bf5516c-07a2-47c2-9dfb-3f28ced9ceca) I believe file hashing is not a core function of a static file server. If I need a convenient way to verify files, serving a SHA256SUMS with the file might be a better approach. Therefore, I suggest making file hashing an optional configuration setting, which would also prevent the previously mentioned DoS attack. ## Implement Suggestion Add option `--allow-hash` in the CLI, environment variable and configuration file. If file hashing is not enabled, request with querystring param `hash` should serve file normally or return a 403 forbidden. (I am happy to submit pull requests) Regardless of whether this feature request will be accepted, if you are using a reverse proxy, you can also configure it to disable file hashing. An example of nginx: ``` location / { if ($args ~* "(^|&)hash(=|&|$)") { return 403 "File hashing is forbidden."; } proxy_pass ...; } ```

zhus closed this issue

2026-04-08 16:52:33 +03:00

zhus referenced this issue

2026-04-08 16:53:36 +03:00

[PR #390] [CLOSED] No inline scripts #598

Sign in to join this conversation.