ORY-03-002 WP2: Potential OOM via unlimited io.readAll calls (Info)

[tricky42]

Ory Network - Pentest 2023-Q4 finding

For many of the flows, the Kratos server itself makes calls to a Kratos REST API. This aids the horizontal scaling aspect of the Kratos server.

Calls to io.ReadAll with the streamed response body are made, which can lead to an OOM situation causing a crash if the sender streams more bytes than the receiver can store in memory. Because the sender should always be another Kratos instance with a valid PKI, this issue has been filed as Info.

Affected files: • selfservice/strategy/oidc/provider_auth0.go:105 • selfservice/strategy/oidc/error.go:31 • schema/schema.go:86 • schema/handler.go:221 • identity/handler.go:820 • .schema/openapi/templates/go/api.mustache:324

A total of 106 affected calls in the generated APIs have been omitted.

Affected code (excerpt):

       localVarHTTPResponse, err := a.client.callAPI(req)
       if err != nil || localVarHTTPResponse == nil {
             return localVarReturnValue, localVarHTTPResponse, err
}

localVarBody, err := io.ReadAll(localVarHTTPResponse.Body) 
localVarHTTPResponse.Body.Close()

It is advised to either enforce an upper-limit on the request's size or change the way it is read and processed, specifically adopting a chunk-wise approach to processing. One possible way to limit input is using a LimitReader, for example io.ReadAll(io.LimitReader(resp.Body, 1024*1024)), to read a maximum of one megabyte.

[hperl]

• selfservice/strategy/oidc/provider_auth0.go:105 - fixed ✅ • selfservice/strategy/oidc/error.go:31 - fixed ✅ • schema/schema.go:86 - fixed ✅ • schema/handler.go:221 - fixed ✅ • identity/handler.go:820 - already covered by request body reader ✅ • .schema/openapi/templates/go/api.mustache:324 - only relevant in sdk generation ✅