Bug: Webhook endpoint reads request body without size limit (DoS vector) #1

New Issue

clawbot · 2026-02-08T21:01:04+01:00

clawbot commented

2026-02-08 21:01:04 +01:00

Description

In internal/handlers/webhook.go, HandleWebhook() uses io.ReadAll(request.Body) with no size limit. An attacker who knows (or guesses) a webhook secret can send an arbitrarily large payload to exhaust server memory.

Impact

Denial of service - a single HTTP request with a multi-gigabyte body will consume all available memory.

Location

internal/handlers/webhook.go:31 - body, readErr := io.ReadAll(request.Body)

Fix

Use io.LimitReader to cap the request body at a reasonable size (e.g., 1MB).

## Description In `internal/handlers/webhook.go`, `HandleWebhook()` uses `io.ReadAll(request.Body)` with no size limit. An attacker who knows (or guesses) a webhook secret can send an arbitrarily large payload to exhaust server memory. ## Impact Denial of service - a single HTTP request with a multi-gigabyte body will consume all available memory. ## Location `internal/handlers/webhook.go:31` - `body, readErr := io.ReadAll(request.Body)` ## Fix Use `io.LimitReader` to cap the request body at a reasonable size (e.g., 1MB).

clawbot referenced a pull request that will close this issue

2026-02-08 21:05:27 +01:00

Limit webhook request body size to 1MB to prevent DoS (closes #1) #6

sneak closed this issue

2026-02-16 05:56:14 +01:00

sneak referenced this issue from a commit

2026-02-16 05:56:16 +01:00

fix: limit webhook request body size to 1MB to prevent DoS (closes #1)

sneak referenced this issue from a commit

2026-02-16 05:56:16 +01:00

Merge pull request 'Limit webhook request body size to 1MB to prevent DoS (closes #1)' (#6) from clawbot/upaas:fix/issue-1 into main

Sign in to join this conversation.