mirror of
https://github.com/Luzifer/ots.git
synced 2024-12-18 03:54:38 -05:00
Fix: Use a default maxSecretSize and limit the payload read (#144)
This commit is contained in:
parent
5ad6449757
commit
136c0e2c96
15
api.go
15
api.go
@ -55,6 +55,13 @@ func (a apiServer) Register(r *mux.Router) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (a apiServer) handleCreate(res http.ResponseWriter, r *http.Request) {
|
func (a apiServer) handleCreate(res http.ResponseWriter, r *http.Request) {
|
||||||
|
if cust.MaxSecretSize > 0 {
|
||||||
|
// As a safeguard against HUGE payloads behind a misconfigured
|
||||||
|
// proxy we take double the maximum secret size after which we
|
||||||
|
// just close the read and cut the connection to the sender.
|
||||||
|
r.Body = http.MaxBytesReader(res, r.Body, cust.MaxSecretSize*2) //nolint:gomnd
|
||||||
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
expiry = cfg.SecretExpiry
|
expiry = cfg.SecretExpiry
|
||||||
secret string
|
secret string
|
||||||
@ -69,6 +76,14 @@ func (a apiServer) handleCreate(res http.ResponseWriter, r *http.Request) {
|
|||||||
if strings.HasPrefix(r.Header.Get("Content-Type"), "application/json") {
|
if strings.HasPrefix(r.Header.Get("Content-Type"), "application/json") {
|
||||||
tmp := apiRequest{}
|
tmp := apiRequest{}
|
||||||
if err := json.NewDecoder(r.Body).Decode(&tmp); err != nil {
|
if err := json.NewDecoder(r.Body).Decode(&tmp); err != nil {
|
||||||
|
if _, ok := err.(*http.MaxBytesError); ok {
|
||||||
|
a.collector.CountSecretCreateError(errorReasonSecretSize)
|
||||||
|
// We don't do an error response here as the MaxBytesReader
|
||||||
|
// automatically cuts the ResponseWriter and we simply cannot
|
||||||
|
// answer them.
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
a.collector.CountSecretCreateError(errorReasonInvalidJSON)
|
a.collector.CountSecretCreateError(errorReasonInvalidJSON)
|
||||||
a.errorResponse(res, http.StatusBadRequest, err, "decoding request body")
|
a.errorResponse(res, http.StatusBadRequest, err, "decoding request body")
|
||||||
return
|
return
|
||||||
|
@ -12,6 +12,13 @@ import (
|
|||||||
"gopkg.in/yaml.v2"
|
"gopkg.in/yaml.v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Frontend has a max attachment size of 64MiB as the base64 encoding
|
||||||
|
// will break afterwards. Therefore we use a maximum secret size of
|
||||||
|
// 65MiB and increase it by double base64 encoding:
|
||||||
|
//
|
||||||
|
// 65 MiB * 16/9 (twice 4/3 base64 size increase)
|
||||||
|
const defaultMaxSecretSize = 65 * 1024 * 1024 * (16 / 9) // = 115.6MiB
|
||||||
|
|
||||||
type (
|
type (
|
||||||
// Customize holds the structure of the customization file
|
// Customize holds the structure of the customization file
|
||||||
Customize struct {
|
Customize struct {
|
||||||
@ -78,4 +85,8 @@ func (c *Customize) applyFixes() {
|
|||||||
if len(c.AppTitle) == 0 {
|
if len(c.AppTitle) == 0 {
|
||||||
c.AppTitle = "OTS - One Time Secrets"
|
c.AppTitle = "OTS - One Time Secrets"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if c.MaxSecretSize == 0 {
|
||||||
|
c.MaxSecretSize = defaultMaxSecretSize
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user