Closed tricky42 closed 2 months ago
• selfservice/strategy/oidc/provider_auth0.go:105 - fixed ✅ • selfservice/strategy/oidc/error.go:31 - fixed ✅ • schema/schema.go:86 - fixed ✅ • schema/handler.go:221 - fixed ✅ • identity/handler.go:820 - already covered by request body reader ✅ • .schema/openapi/templates/go/api.mustache:324 - only relevant in sdk generation ✅
Ory Network - Pentest 2023-Q4 finding
For many of the flows, the Kratos server itself makes calls to a Kratos REST API. This aids the horizontal scaling aspect of the Kratos server.
Calls to io.ReadAll with the streamed response body are made, which can lead to an OOM situation causing a crash if the sender streams more bytes than the receiver can store in memory. Because the sender should always be another Kratos instance with a valid PKI, this issue has been filed as Info.
Affected files: • selfservice/strategy/oidc/provider_auth0.go:105 • selfservice/strategy/oidc/error.go:31 • schema/schema.go:86 • schema/handler.go:221 • identity/handler.go:820 • .schema/openapi/templates/go/api.mustache:324
A total of 106 affected calls in the generated APIs have been omitted.
Affected code (excerpt):
It is advised to either enforce an upper-limit on the request's size or change the way it is read and processed, specifically adopting a chunk-wise approach to processing. One possible way to limit input is using a LimitReader, for example io.ReadAll(io.LimitReader(resp.Body, 1024*1024)), to read a maximum of one megabyte.