Limit number of bytes read from request body in promotion webhook

weaveworks / pipeline-controller

This repository contains the Pipeline CRD and associated controller for Weave GitOps Enterprise.

1 stars 4 forks source link

Limit number of bytes read from request body in promotion webhook #45

Open makkes opened 2 years ago

makkes commented 2 years ago

In the webhook handler for promotions we read the whole body from the request. This is a potential attack vector causing OOM errors. The number of bytes read from the request body should be limited to mitigate this issue.

Since we only accept a very deterministic data structure we can set this limit fairly low, something between ¼ MiB and 1 MiB I suppose.

bigkevmcd commented 2 years ago

If you're expecting to get GitHub hooks, they can be over 1MiB

LappleApple commented 1 year ago

Have we addressed this issue in some way since the issue was filed? cc @yiannistri

yiannistri commented 1 year ago

No we haven't yet.