fix: limit webhook request body size to 1MB to prevent DoS (closes #1)

internal/handlers/handlers_test.go

@@ -426,6 +426,47 @@ func addChiURLParams(
 	)
 }
 
+func TestHandleWebhookRejectsOversizedBody(t *testing.T) {
+	t.Parallel()
+
+	testCtx := setupTestHandlers(t)
+
+	// Create an app first
+	createdApp, createErr := testCtx.appSvc.CreateApp(
+		context.Background(),
+		app.CreateAppInput{
+			Name:    "oversize-test-app",
+			RepoURL: "git@example.com:user/repo.git",
+			Branch:  "main",
+		},
+	)
+	require.NoError(t, createErr)
+
+	// Create a body larger than 1MB - it should be silently truncated
+	// and the webhook should still process (or fail gracefully on parse)
+	largePayload := strings.Repeat("x", 2*1024*1024) // 2MB
+	request := httptest.NewRequest(
+		http.MethodPost,
+		"/webhook/"+createdApp.WebhookSecret,
+		strings.NewReader(largePayload),
+	)
+	request = addChiURLParams(
+		request,
+		map[string]string{"secret": createdApp.WebhookSecret},
+	)
+	request.Header.Set("Content-Type", "application/json")
+	request.Header.Set("X-Gitea-Event", "push")
+
+	recorder := httptest.NewRecorder()
+
+	handler := testCtx.handlers.HandleWebhook()
+	handler.ServeHTTP(recorder, request)
+
+	// Should still return OK (payload is truncated and fails JSON parse,
+	// but webhook service handles invalid JSON gracefully)
+	assert.Equal(t, http.StatusOK, recorder.Code)
+}
+
 func TestHandleWebhookReturns404ForUnknownSecret(t *testing.T) {
 	t.Parallel()