We use cookies to ensure you get the best experience on our website
Trang chủ Khám phá Trợ giúp
Đăng ký Đăng nhập
0ct0pu5
/
sftpgo
1
0
Fork 0
Các tập tin Các vấn đề 0 Yêu cầu kéo về 0 Wiki
Browse Source

httpfs: limit body size

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
Nicola Murino 1 năm trước cách đây
mục cha
64c7588a44
commit
19a95d8c55
2 tập tin đã thay đổi với 36 bổ sung8 xóa
Split View Hiển thị tình trạng sai khác
  1. 6 2
      internal/dataprovider/node.go
  2. 30 6
      internal/vfs/httpfs.go

+ 6 - 2
internal/dataprovider/node.go
Xem Tập Tin 

@@ -232,9 +232,13 @@ func (n *Node) SendGetRequest(username, role, relativeURL string, responseHolder
 
 	if resp.StatusCode < http.StatusOK || resp.StatusCode > http.StatusNoContent {
 
 		return fmt.Errorf("unexpected status code: %d", resp.StatusCode)
 
 	}
 
-	err = json.NewDecoder(resp.Body).Decode(responseHolder)
 
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, 10485760))
 
 	if err != nil {
 
-		return fmt.Errorf("unable to decode response as json")
 
+		return fmt.Errorf("unable to read response body: %w", err)
 
+	}
 
+	err = json.Unmarshal(respBody, responseHolder)
 
+	if err != nil {
 
+		return errors.New("unable to decode response as json")
 
 	}
 
 	return nil
 
 }

+ 30 - 6
internal/vfs/httpfs.go
Xem Tập Tin 

@@ -44,7 +44,8 @@ import (
 
 
 const (
 
 	// httpFsName is the name for the HTTP Fs implementation
 
-	httpFsName = "httpfs"
 
+	httpFsName            = "httpfs"
 
+	maxHTTPFsResponseSize = 1048576
 
 )
 
 
 var (
 
@@ -283,8 +284,12 @@ func (fs *HTTPFs) Stat(name string) (os.FileInfo, error) {
 
 	}
 
 	defer resp.Body.Close()
 
 
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize))
 
+	if err != nil {
 
+		return nil, err
 
+	}
 
 	var response statResponse
 
-	err = json.NewDecoder(resp.Body).Decode(&response)
 
+	err = json.Unmarshal(respBody, &response)
 
 	if err != nil {
 
 		return nil, err
 
 	}
 
@@ -479,8 +484,12 @@ func (fs *HTTPFs) ReadDir(dirname string) ([]os.FileInfo, error) {
 
 	}
 
 	defer resp.Body.Close()
 
 
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize*10))
 
+	if err != nil {
 
+		return nil, err
 
+	}
 
 	var response []statResponse
 
-	err = json.NewDecoder(resp.Body).Decode(&response)
 
+	err = json.Unmarshal(respBody, &response)
 
 	if err != nil {
 
 		return nil, err
 
 	}
 
@@ -550,8 +559,13 @@ func (fs *HTTPFs) GetDirSize(dirname string) (int, int64, error) {
 
 	}
 
 	defer resp.Body.Close()
 
 
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize))
 
+	if err != nil {
 
+		return 0, 0, err
 
+	}
 
+
 
 	var response dirSizeResponse
 
-	err = json.NewDecoder(resp.Body).Decode(&response)
 
+	err = json.Unmarshal(respBody, &response)
 
 	if err != nil {
 
 		return 0, 0, err
 
 	}
 
@@ -621,8 +635,13 @@ func (fs *HTTPFs) GetMimeType(name string) (string, error) {
 
 	}
 
 	defer resp.Body.Close()
 
 
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize))
 
+	if err != nil {
 
+		return "", err
 
+	}
 
+
 
 	var response mimeTypeResponse
 
-	err = json.NewDecoder(resp.Body).Decode(&response)
 
+	err = json.Unmarshal(respBody, &response)
 
 	if err != nil {
 
 		return "", err
 
 	}
 
@@ -646,8 +665,13 @@ func (fs *HTTPFs) GetAvailableDiskSize(dirName string) (*sftp.StatVFS, error) {
 
 	}
 
 	defer resp.Body.Close()
 
 
+	respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxHTTPFsResponseSize))
 
+	if err != nil {
 
+		return nil, err
 
+	}
 
+
 
 	var response statVFSResponse
 
-	err = json.NewDecoder(resp.Body).Decode(&response)
 
+	err = json.Unmarshal(respBody, &response)
 
 	if err != nil {
 
 		return nil, err
 
 	}

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5