add content length cap

internal/config/config.go

@@ -18,6 +18,7 @@ type Config struct {
 	DeletionTokenMaster string
 	DeletionTokenLength int
 	RateLimit           string
+	LengthCap           int
 	AutoDelete          *AutoDeleteConfig
 	File                *FileConfig
 	Postgres            *PostgresConfig
@@ -76,6 +77,7 @@ func Load() {
 		DeletionTokenMaster: env.MustString("DELETION_TOKEN_MASTER", ""),
 		DeletionTokenLength: env.MustInt("DELETION_TOKEN_LENGTH", 12),
 		RateLimit:           env.MustString("RATE_LIMIT", "30-M"),
+		LengthCap:           env.MustInt("LENGTH_CAP", 50_000),
 		AutoDelete: &AutoDeleteConfig{
 			Enabled:      env.MustBool("AUTODELETE", false),
 			Lifetime:     env.MustDuration("AUTODELETE_LIFETIME", 720*time.Hour),

internal/web/controllers/v1/pastes.go

@@ -51,6 +51,14 @@ func v1GetPaste(ctx *fasthttp.RequestCtx) {
 
 // v1PostPaste handles the 'POST /v1/pastes' endpoint
 func v1PostPaste(ctx *fasthttp.RequestCtx) {
+	// Check content length before reading body into memory
+	if config.Current.LengthCap > 0 &&
+		ctx.Request.Header.ContentLength() > config.Current.LengthCap {
+		ctx.SetStatusCode(fasthttp.StatusBadRequest)
+		ctx.SetBodyString("request body length overflow")
+		return
+	}
+
 	// Unmarshal the body
 	values := make(map[string]string)
 	err := json.Unmarshal(ctx.PostBody(), &values)