feat: Limit response size in HTTP key fetcher to prevent DoS attacks

domdomegg · domdomegg · commit 73159cb3e3e5 · 2025-08-19T11:55:27.000+01:00
diff --git a/internal/api/handlers/v0/auth/http.go b/internal/api/handlers/v0/auth/http.go
@@ -74,6 +74,9 @@ func (f *DefaultHTTPKeyFetcher) FetchKey(ctx context.Context, domain string) (st
 		return "", fmt.Errorf("HTTP %d: failed to fetch key from %s", resp.StatusCode, url)
 	}
 
+	// Limit response size to prevent DoS attacks
+	resp.Body = http.MaxBytesReader(nil, resp.Body, 4096)
+
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return "", fmt.Errorf("failed to read response body: %w", err)

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,9 @@ func (f *DefaultHTTPKeyFetcher) FetchKey(ctx context.Context, domain string) (st`
`74`	`74`	`return "", fmt.Errorf("HTTP %d: failed to fetch key from %s", resp.StatusCode, url)`
`75`	`75`	`}`
`76`	`76`
	`77`	`+ // Limit response size to prevent DoS attacks`
	`78`	`+ resp.Body = http.MaxBytesReader(nil, resp.Body, 4096)`
	`79`	`+`
`77`	`80`	`body, err := io.ReadAll(resp.Body)`
`78`	`81`	`if err != nil {`
`79`	`82`	`return "", fmt.Errorf("failed to read response body: %w", err)`