sneak/upaas
1
0
Fork 0
Code Issues 9 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

fix: limit webhook request body size to 1MB to prevent DoS (closes #1)

Browse Source
This commit is contained in:
clawbot
2026-02-08 12:02:06 -08:00
parent d4eae284b5
commit e212910143
2 changed files with 46 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/handlers/webhook.go
View File

@@ -9,6 +9,9 @@ import (
"git.eeqj.de/sneak/upaas/internal/models"
)
// maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
const maxWebhookBodySize = 1 << 20
// HandleWebhook handles incoming Gitea webhooks.
func (h *Handlers) HandleWebhook() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
@@ -38,8 +41,8 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
return
}
// Read request body
body, readErr := io.ReadAll(request.Body)
// Read request body with size limit to prevent memory exhaustion
body, readErr := io.ReadAll(io.LimitReader(request.Body, maxWebhookBodySize))
if readErr != nil {
h.log.Error("failed to read webhook body", "error", readErr)
http.Error(writer, "Bad Request", http.StatusBadRequest)