sneak/upaas
1
0
Fork 0
Code Issues 21 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Limit webhook request body size to 1MB to prevent DoS (closes #1) #6

Merged
sneak merged 2 commits from :fix/issue-1 into main 2026-02-16 05:56:14 +01:00
Conversation 0 Commits 2 Files Changed 2 +46 -2
2 changed files with 46 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
internal/handlers/handlers_test.go
View File

@ -426,6 +426,47 @@ func addChiURLParams(
)
}
func TestHandleWebhookRejectsOversizedBody(t *testing.T) {
t.Parallel()
testCtx := setupTestHandlers(t)
// Create an app first
createdApp, createErr := testCtx.appSvc.CreateApp(
context.Background(),
app.CreateAppInput{
Name: "oversize-test-app",
RepoURL: "git@example.com:user/repo.git",
Branch: "main",
},
)
require.NoError(t, createErr)
// Create a body larger than 1MB - it should be silently truncated
// and the webhook should still process (or fail gracefully on parse)
largePayload := strings.Repeat("x", 2*1024*1024) // 2MB
request := httptest.NewRequest(
http.MethodPost,
"/webhook/"+createdApp.WebhookSecret,
strings.NewReader(largePayload),
)
request = addChiURLParams(
request,
map[string]string{"secret": createdApp.WebhookSecret},
)
request.Header.Set("Content-Type", "application/json")
request.Header.Set("X-Gitea-Event", "push")
recorder := httptest.NewRecorder()
handler := testCtx.handlers.HandleWebhook()
handler.ServeHTTP(recorder, request)
// Should still return OK (payload is truncated and fails JSON parse,
// but webhook service handles invalid JSON gracefully)
assert.Equal(t, http.StatusOK, recorder.Code)
}
func TestHandleWebhookReturns404ForUnknownSecret(t *testing.T) {
t.Parallel()

7
internal/handlers/webhook.go
View File

@ -9,6 +9,9 @@ import (
"git.eeqj.de/sneak/upaas/internal/models"
)
// maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
const maxWebhookBodySize = 1 << 20
// HandleWebhook handles incoming Gitea webhooks.
func (h *Handlers) HandleWebhook() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
@ -38,8 +41,8 @@ func (h *Handlers) HandleWebhook() http.HandlerFunc {
return
}
// Read request body
body, readErr := io.ReadAll(request.Body)
// Read request body with size limit to prevent memory exhaustion
body, readErr := io.ReadAll(io.LimitReader(request.Body, maxWebhookBodySize))
if readErr != nil {
h.log.Error("failed to read webhook body", "error", readErr)
http.Error(writer, "Bad Request", http.StatusBadRequest)