Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit number of bytes read from request body in promotion webhook #45

Open
makkes opened this issue Oct 20, 2022 · 3 comments
Open

Limit number of bytes read from request body in promotion webhook #45

makkes opened this issue Oct 20, 2022 · 3 comments
Labels
promotion Bug or feature related to app promotion

Comments

@makkes
Copy link
Member

makkes commented Oct 20, 2022

In the webhook handler for promotions we read the whole body from the request. This is a potential attack vector causing OOM errors. The number of bytes read from the request body should be limited to mitigate this issue.

Since we only accept a very deterministic data structure we can set this limit fairly low, something between ¼ MiB and 1 MiB I suppose.
@makkes makkes added the promotion Bug or feature related to app promotion label Oct 20, 2022
@bigkevmcd
Copy link

If you're expecting to get GitHub hooks, they can be over 1MiB

@LappleApple
Copy link

Have we addressed this issue in some way since the issue was filed? cc @yiannistri

@yiannistri
Copy link
Collaborator

No we haven't yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
promotion Bug or feature related to app promotion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@makkes @bigkevmcd @LappleApple @yiannistri