Add content length cap for paste creation endpoint (#8)

* add content length cap * add development docker compose stack * Fix paste creation error notification data * Add length cap to hastebin endpoint as well * Mention length cap in Readme Co-authored-by: Lukas Schulte Pelkum <kbrt@protonmail.com>
2023-08-10 21:13:09 +03:00 · 2021-05-23 20:55:16 +02:00
parent ef364db0e5
commit 8cbb62070e
6 changed files with 36 additions and 1 deletions
--- a/internal/web/controllers/v1/hastebin_support.go
+++ b/internal/web/controllers/v1/hastebin_support.go
@@ -13,6 +13,14 @@ import (

 // HastebinSupportHandler handles the legacy hastebin requests
 func HastebinSupportHandler(ctx *fasthttp.RequestCtx) {
+	// Check content length before reading body into memory
+	if config.Current.LengthCap > 0 &&
+		ctx.Request.Header.ContentLength() > config.Current.LengthCap {
+		ctx.SetStatusCode(fasthttp.StatusBadRequest)
+		ctx.SetBodyString("request body length overflow")
+		return
+	}
+
 	// Define the paste content
 	var content string
 	switch string(ctx.Request.Header.ContentType()) {
--- a/internal/web/controllers/v1/pastes.go
+++ b/internal/web/controllers/v1/pastes.go
@@ -51,6 +51,14 @@ func v1GetPaste(ctx *fasthttp.RequestCtx) {

 // v1PostPaste handles the 'POST /v1/pastes' endpoint
 func v1PostPaste(ctx *fasthttp.RequestCtx) {
+	// Check content length before reading body into memory
+	if config.Current.LengthCap > 0 &&
+		ctx.Request.Header.ContentLength() > config.Current.LengthCap {
+		ctx.SetStatusCode(fasthttp.StatusBadRequest)
+		ctx.SetBodyString("request body length overflow")
+		return
+	}
+
 	// Unmarshal the body
 	values := make(map[string]string)
 	err := json.Unmarshal(ctx.PostBody(), &values)