MEDIUM: Unbounded request body read in webhook handler — denial of service #21

New Issue

clawbot · 2026-02-16T05:47:11+01:00

clawbot commented

2026-02-16 05:47:11 +01:00

Bug

File: internal/handlers/webhook.go, HandleWebhook(), line ~30

Severity: MEDIUM — Denial of Service

Description

The webhook handler reads the entire request body without any size limit:

body, readErr := io.ReadAll(request.Body)

An attacker who knows (or guesses) a webhook URL can send an arbitrarily large payload, consuming all available memory and causing the process to OOM.

The webhook endpoint is unauthenticated (protected only by the secret in the URL), making this externally exploitable.

Suggested Fix

Use io.LimitReader to cap the body size:

const maxWebhookBodySize = 1 << 20 // 1MB
body, readErr := io.ReadAll(io.LimitReader(request.Body, maxWebhookBodySize))

## Bug **File:** `internal/handlers/webhook.go`, `HandleWebhook()`, line ~30 **Severity:** MEDIUM — Denial of Service ### Description The webhook handler reads the entire request body without any size limit: ```go body, readErr := io.ReadAll(request.Body) ``` An attacker who knows (or guesses) a webhook URL can send an arbitrarily large payload, consuming all available memory and causing the process to OOM. The webhook endpoint is unauthenticated (protected only by the secret in the URL), making this externally exploitable. ### Suggested Fix Use `io.LimitReader` to cap the body size: ```go const maxWebhookBodySize = 1 << 20 // 1MB body, readErr := io.ReadAll(io.LimitReader(request.Body, maxWebhookBodySize)) ```

sneak commented

2026-02-16 06:32:16 +01:00

this is already fixed in #6

sneak closed this issue

2026-02-16 06:32:16 +01:00

Sign in to join this conversation.