Blocking Operations in Async Context

[gtema]

DESCRIPTION: Expensive operations like password hashing can block the Tokio async runtime, causing task starvation and service degradation.

VULNERABLE PATTERN:

// VULNERABLE: Blocking crypto in async context
async fn authenticate(username: &str, password: &str) -> Result<Token> {
    let user = User::find_by_name(username).await?;
    
    // This blocks the entire async runtime thread
    if !bcrypt::verify(password, &user.password_hash)? {
        return Err(Error::InvalidCredentials);
    }
    
    Ok(generate_token())
}

ATTACK VECTOR:

• Send many authentication requests simultaneously
• Force expensive bcrypt verification on all requests
• Exhaust async runtime capacity with blocking operations
• Starve other async tasks
• Cause service slowdown or complete unavailability

IMPACT:

• Service performance degradation
• Task starvation
• Request timeout failures
• Denial of service
• Poor scalability under load

REMEDIATION:

use tokio::task;

// CORRECT: Offload blocking operations to dedicated thread pool
async fn authenticate(username: &str, password: &str) -> Result<Token> {
    let user = User::find_by_name(username).await?;
    
    let password = password.to_owned();
    let hash = user.password_hash.clone();
    
    // Run blocking crypto on dedicated thread pool
    let valid = task::spawn_blocking(move || {
        bcrypt::verify(password, &hash)
    }).await??;
    
    if !valid {
        return Err(Error::InvalidCredentials);
    }
    
    Ok(generate_token())
}