security: Add request body size limits to remaining API handlers
Add http.MaxBytesReader to 8 additional handlers to complete API hardening against memory exhaustion attacks: - guest_metadata.go: HandleUpdateMetadata (16KB) - notification_queue.go: RetryDLQItem, DeleteDLQItem (8KB each) - temperature_proxy.go: HandleRegister (8KB) - host_agents.go: HandleReport (256KB) - updates.go: HandleApplyUpdate (8KB) - docker_metadata.go: HandleUpdateMetadata (16KB) - system_settings.go: UpdateSystemSettings (64KB) All API handlers that decode JSON request bodies now have size limits.
This commit is contained in:
parent
7b55564b62
commit
c108cba8bb
7 changed files with 22 additions and 0 deletions
|
|
@ -78,6 +78,9 @@ func (h *DockerMetadataHandler) HandleUpdateMetadata(w http.ResponseWriter, r *h
|
|||
return
|
||||
}
|
||||
|
||||
// Limit request body to 16KB to prevent memory exhaustion
|
||||
r.Body = http.MaxBytesReader(w, r.Body, 16*1024)
|
||||
|
||||
var meta config.DockerMetadata
|
||||
if err := json.NewDecoder(r.Body).Decode(&meta); err != nil {
|
||||
http.Error(w, "Invalid request body", http.StatusBadRequest)
|
||||
|
|
|
|||
|
|
@ -83,6 +83,9 @@ func (h *GuestMetadataHandler) HandleUpdateMetadata(w http.ResponseWriter, r *ht
|
|||
return
|
||||
}
|
||||
|
||||
// Limit request body to 16KB to prevent memory exhaustion
|
||||
r.Body = http.MaxBytesReader(w, r.Body, 16*1024)
|
||||
|
||||
var meta config.GuestMetadata
|
||||
if err := json.NewDecoder(r.Body).Decode(&meta); err != nil {
|
||||
http.Error(w, "Invalid request body", http.StatusBadRequest)
|
||||
|
|
|
|||
|
|
@ -37,6 +37,8 @@ func (h *HostAgentHandlers) HandleReport(w http.ResponseWriter, r *http.Request)
|
|||
return
|
||||
}
|
||||
|
||||
// Limit request body to 256KB to prevent memory exhaustion
|
||||
r.Body = http.MaxBytesReader(w, r.Body, 256*1024)
|
||||
defer r.Body.Close()
|
||||
|
||||
var report agentshost.Report
|
||||
|
|
|
|||
|
|
@ -85,6 +85,9 @@ func (h *NotificationQueueHandlers) RetryDLQItem(w http.ResponseWriter, r *http.
|
|||
return
|
||||
}
|
||||
|
||||
// Limit request body to 8KB to prevent memory exhaustion
|
||||
r.Body = http.MaxBytesReader(w, r.Body, 8*1024)
|
||||
|
||||
var request struct {
|
||||
ID string `json:"id"`
|
||||
}
|
||||
|
|
@ -129,6 +132,9 @@ func (h *NotificationQueueHandlers) DeleteDLQItem(w http.ResponseWriter, r *http
|
|||
return
|
||||
}
|
||||
|
||||
// Limit request body to 8KB to prevent memory exhaustion
|
||||
r.Body = http.MaxBytesReader(w, r.Body, 8*1024)
|
||||
|
||||
var request struct {
|
||||
ID string `json:"id"`
|
||||
}
|
||||
|
|
|
|||
|
|
@ -462,6 +462,9 @@ func (h *SystemSettingsHandler) HandleUpdateSystemSettings(w http.ResponseWriter
|
|||
existingSettings = config.DefaultSystemSettings()
|
||||
}
|
||||
|
||||
// Limit request body to 64KB to prevent memory exhaustion
|
||||
r.Body = http.MaxBytesReader(w, r.Body, 64*1024)
|
||||
|
||||
// Read the request body into a map to check which fields were provided
|
||||
var rawRequest map[string]interface{}
|
||||
if err := json.NewDecoder(r.Body).Decode(&rawRequest); err != nil {
|
||||
|
|
|
|||
|
|
@ -176,6 +176,8 @@ func (h *TemperatureProxyHandlers) HandleRegister(w http.ResponseWriter, r *http
|
|||
return
|
||||
}
|
||||
|
||||
// Limit request body to 8KB to prevent memory exhaustion
|
||||
r.Body = http.MaxBytesReader(w, r.Body, 8*1024)
|
||||
defer r.Body.Close()
|
||||
|
||||
var req struct {
|
||||
|
|
|
|||
|
|
@ -83,6 +83,9 @@ func (h *UpdateHandlers) HandleApplyUpdate(w http.ResponseWriter, r *http.Reques
|
|||
return
|
||||
}
|
||||
|
||||
// Limit request body to 8KB to prevent memory exhaustion
|
||||
r.Body = http.MaxBytesReader(w, r.Body, 8*1024)
|
||||
|
||||
var req struct {
|
||||
DownloadURL string `json:"downloadUrl"`
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue