From 3b91c94ed4d2c5a925be0c71100a2aec71043e47 Mon Sep 17 00:00:00 2001 From: Ringo Hoffmann Date: Sun, 23 May 2021 19:58:49 +0200 Subject: [PATCH] add content length cap --- internal/config/config.go | 2 ++ internal/web/controllers/v1/pastes.go | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/internal/config/config.go b/internal/config/config.go index 152daf3..a24999c 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -18,6 +18,7 @@ type Config struct { DeletionTokenMaster string DeletionTokenLength int RateLimit string + LengthCap int AutoDelete *AutoDeleteConfig File *FileConfig Postgres *PostgresConfig @@ -76,6 +77,7 @@ func Load() { DeletionTokenMaster: env.MustString("DELETION_TOKEN_MASTER", ""), DeletionTokenLength: env.MustInt("DELETION_TOKEN_LENGTH", 12), RateLimit: env.MustString("RATE_LIMIT", "30-M"), + LengthCap: env.MustInt("LENGTH_CAP", 50_000), AutoDelete: &AutoDeleteConfig{ Enabled: env.MustBool("AUTODELETE", false), Lifetime: env.MustDuration("AUTODELETE_LIFETIME", 720*time.Hour), diff --git a/internal/web/controllers/v1/pastes.go b/internal/web/controllers/v1/pastes.go index be95365..ab47448 100644 --- a/internal/web/controllers/v1/pastes.go +++ b/internal/web/controllers/v1/pastes.go @@ -51,6 +51,14 @@ func v1GetPaste(ctx *fasthttp.RequestCtx) { // v1PostPaste handles the 'POST /v1/pastes' endpoint func v1PostPaste(ctx *fasthttp.RequestCtx) { + // Check content length before reading body into memory + if config.Current.LengthCap > 0 && + ctx.Request.Header.ContentLength() > config.Current.LengthCap { + ctx.SetStatusCode(fasthttp.StatusBadRequest) + ctx.SetBodyString("request body length overflow") + return + } + // Unmarshal the body values := make(map[string]string) err := json.Unmarshal(ctx.PostBody(), &values)