spelling backend opens UDP ports

[watercrossing]

The spell checker opens a udp port:

netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      1260/redis-server 1
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1237/sshd
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      30849/node
tcp        0      0 0.0.0.0:10843           0.0.0.0:*               LISTEN      30849/node
tcp        0      0 127.0.0.1:3003          0.0.0.0:*               LISTEN      1028/node
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1246/nginx
tcp        0      0 127.0.0.1:3005          0.0.0.0:*               LISTEN      30832/node
tcp        0      0 127.0.0.1:3009          0.0.0.0:*               LISTEN      1037/node
tcp        0      0 127.0.0.1:3010          0.0.0.0:*               LISTEN      1035/node
tcp        0      0 127.0.0.1:3012          0.0.0.0:*               LISTEN      1030/node
tcp        0      0 127.0.0.1:3013          0.0.0.0:*               LISTEN      26975/node
tcp        0      0 127.0.0.1:3015          0.0.0.0:*               LISTEN      1039/node
tcp        0      0 127.0.0.1:3016          0.0.0.0:*               LISTEN      1021/node
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      1239/mongod
tcp6       0      0 :::22                   :::*                    LISTEN      1237/sshd
udp        0      0 0.0.0.0:59158           0.0.0.0:*                           30832/node

Why is this happening?

[jpallen]

... I don't know, sorry. It's a small code base, if you fancy taking a look it shouldn't be too hard to track down.

[jpallen]

Sorry, just realised what it is. We send metrics via UDP. If you don't have statsd running these will just be ignored. I don't know this is only showing up for spelling and not the other.

[henryoswald]

Could aspell launch udp connections...?

On Fri, Sep 5, 2014 at 3:40 PM, James Allen notifications@github.com
wrote:

... I don't know, sorry. It's a small code base, if you fancy taking a
look it shouldn't be too hard to track down.

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

Henry Oswald
shareLaTeX.com creator

[watercrossing]

Could you please keep the issue open? Its a lot easier to find open issues than closed ones.

I have dug a little, and it seems to be node-statsd. For some reason its also binding to every host, even though it should just be localhost.

@jpallen: it is a small code base indeed, but I haven't quite figured out all the relationships between the different sharelatex packages/modules. The fact that there is very little source code documentation is not making it easier.

[jpallen]

Sorry, I closed it because I don't think it is an issue. We use statsd in production to monitor various metrics and the metrics are sent over UDP. However, there is no problem if the daemon isn't there to connect to. I'm happy to reopen this is you think there is still an issue here, let me know.

[watercrossing]

Hmm, I think any port that is open globally without a good reason is a good issue! Do all parts of *-sharelatex send information to the metrics server? I suppose a README.md for metrics-sharelatex would help to explain things!

[jpallen]

Fair enough, I'll leave this open, and we'd be happy to accept a pull request fixing it, but unless there are any actual side effects, I doubt it will get fixed on our end soon, sorry.

I agree that the whole code base would benefit from better documentation, but given the low volume of people who would need that sort of documentation, and the fact that it all evolved organically out of development which was originally closed-source (and only by a small team), it's another area that probably won't improve without external contributions, sorry.

I realise this sounds all a bit negative sorry! There are only two core devs at the moment and we are always stretched very thinly.

[watercrossing]

Ok, I had a look and you are right, this is not an issue; at least not in sharelatex. node-statsd just binds its writing socket to all hosts whenever its invoked. It doesn't offer any way to specify which host to bind to, but since its using it only for writing it shouldn't be an issue. Unless someone finds a security hole in nodejs' udp datagram implementation. Then of course all servers using node-statsd are vulnerable.

I do realise its just the two of you!

[das7pad]

Hi!

Thank you for taking the time to write up this issue.

We are in the process of migrating to a monorepo at https://github.com/overleaf/overleaf and will mark this repository read-only soon.
You can read more about the monorepo migration at overleaf/overleaf#923.

We are going to close this issue now to avoid any confusion about the inability to comment further.

If you believe this issue still needs addressing, please create a new issue at https://github.com/overleaf/overleaf.

Thanks again!