From 045748080b666c1f3b6a798504f4da41c1f3c573 Mon Sep 17 00:00:00 2001
From: David Jardin <d.jardin@djumla.de>
Date: Mon, 27 Oct 2025 09:36:01 +0100
Subject: [PATCH 1/2] prevent dwonload of unpausible response bodies

---
 app/RemoteSite/Connection.php | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/app/RemoteSite/Connection.php b/app/RemoteSite/Connection.php
index 87f2e83..92de8cc 100644
--- a/app/RemoteSite/Connection.php
+++ b/app/RemoteSite/Connection.php
@@ -15,6 +15,7 @@
 use GuzzleHttp\Exception\RequestException;
 use GuzzleHttp\Psr7\Request;
 use GuzzleHttp\Psr7\Response;
+use GuzzleHttp\Psr7\Utils;
 use Illuminate\Support\Facades\App;
 use Psr\Http\Message\RequestInterface;
 
@@ -121,12 +122,33 @@ protected function performHttpRequest(
         /** @var Client $httpClient */
         $httpClient = App::make(Client::class);
 
+        // Send a streamed response to be able to validate the size
+        $options['stream'] = true;
+        $options['progress'] = function (
+            $downloadTotal,
+            $downloadedBytes
+        ) use ($request) {
+            if ($downloadedBytes > 1024000) {
+                throw new \RuntimeException("Unplausible response size while fetchting from " . $request->getUri());
+            }
+        };
+
         /** @var Response $response */
         $response = $httpClient->send(
             $request,
             $options
         );
 
+        // Convert the streamed response into a "normal" one
+        $buffer = '';
+
+        while (!$response->getBody()->eof()) {
+            $buffer .= $response->getBody()->read(8192);
+        }
+
+        // Overwrite streamed body
+        $response = $response->withBody(Utils::streamFor($buffer));
+
         // Validate response
         if (!json_validate((string) $response->getBody())) {
             throw new RequestException(

From 57166e95678fb5f6411bc5f92ad79e36ce3b76fc Mon Sep 17 00:00:00 2001
From: Harald Leithner <leithner@itronic.at>
Date: Mon, 27 Oct 2025 10:11:54 +0100
Subject: [PATCH 2/2] Update app/RemoteSite/Connection.php

Co-authored-by: Brian Teeman <brian@teeman.net>
---
 app/RemoteSite/Connection.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/RemoteSite/Connection.php b/app/RemoteSite/Connection.php
index 92de8cc..f3842c5 100644
--- a/app/RemoteSite/Connection.php
+++ b/app/RemoteSite/Connection.php
@@ -129,7 +129,7 @@ protected function performHttpRequest(
             $downloadedBytes
         ) use ($request) {
             if ($downloadedBytes > 1024000) {
-                throw new \RuntimeException("Unplausible response size while fetchting from " . $request->getUri());
+                throw new \RuntimeException("Unplausible response size while fetching from " . $request->getUri());
             }
         };