prevent dwonload of unpausible response bodies (#50)

Author: SniperSister

app/RemoteSite/Connection.php

@@ -15,6 +15,7 @@
 use GuzzleHttp\Exception\RequestException;
 use GuzzleHttp\Psr7\Request;
 use GuzzleHttp\Psr7\Response;
+use GuzzleHttp\Psr7\Utils;
 use Illuminate\Support\Facades\App;
 use Psr\Http\Message\RequestInterface;
 
@@ -121,12 +122,33 @@ protected function performHttpRequest(
         /** @var Client $httpClient */
         $httpClient = App::make(Client::class);
 
+        // Send a streamed response to be able to validate the size
+        $options['stream'] = true;
+        $options['progress'] = function (
+            $downloadTotal,
+            $downloadedBytes
+        ) use ($request) {
+            if ($downloadedBytes > 1024000) {
+                throw new \RuntimeException("Unplausible response size while fetching from " . $request->getUri());
+            }
+        };
+
         /** @var Response $response */
         $response = $httpClient->send(
             $request,
             $options
         );
 
+        // Convert the streamed response into a "normal" one
+        $buffer = '';
+
+        while (!$response->getBody()->eof()) {
+            $buffer .= $response->getBody()->read(8192);
+        }
+
+        // Overwrite streamed body
+        $response = $response->withBody(Utils::streamFor($buffer));
+
         // Validate response
         if (!json_validate((string) $response->getBody())) {
             throw new RequestException(