From e11473cf52dee3036fe3f65ac62273f0ad59b0af Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Thu, 25 May 2023 05:25:28 +0200 Subject: [PATCH] config: limit the size for env files Signed-off-by: Nicola Murino --- go.mod | 2 +- go.sum | 4 ++-- internal/config/config.go | 5 +++++ internal/config/config_test.go | 7 +++++++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 94c9ca26..e08fb5ac 100644 --- a/go.mod +++ b/go.mod @@ -160,7 +160,7 @@ require ( golang.org/x/tools v0.9.1 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect + google.golang.org/genproto v0.0.0-20230524185152-1884fd1fac28 // indirect google.golang.org/grpc v1.55.0 // indirect google.golang.org/protobuf v1.30.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 320461d7..a7b27d19 100644 --- a/go.sum +++ b/go.sum @@ -2816,8 +2816,8 @@ google.golang.org/genproto v0.0.0-20230113154510-dbe35b8444a5/go.mod h1:RGgjbofJ google.golang.org/genproto v0.0.0-20230124163310-31e0e69b6fc2/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/genproto v0.0.0-20230125152338-dcaf20b6aeaa/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= -google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= +google.golang.org/genproto v0.0.0-20230524185152-1884fd1fac28 h1:+55/MuGJORMxCrkAgo2595fMAnN/4rweCuwibbqrvpc= +google.golang.org/genproto v0.0.0-20230524185152-1884fd1fac28/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= diff --git a/internal/config/config.go b/internal/config/config.go index 6d3a61e0..6d80d5b8 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -53,6 +53,7 @@ const ( configName = "sftpgo" // ConfigEnvPrefix defines a prefix that environment variables will use configEnvPrefix = "sftpgo" + envFileMaxSize = 1048576 ) var ( @@ -654,6 +655,10 @@ func readEnvFiles(configDir string) { info, err := entry.Info() if err == nil && info.Mode().IsRegular() { envFile := filepath.Join(envd, entry.Name()) + if info.Size() > envFileMaxSize { + logger.Info(logSender, "", "env file %q too big: %s, skipping", entry.Name(), util.ByteCountIEC(info.Size())) + continue + } err = gotenv.Load(envFile) if err != nil { logger.Error(logSender, "", "unable to load env vars from file %q, err: %v", envFile, err) diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 2a706c55..63e96df7 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -15,6 +15,7 @@ package config_test import ( + "crypto/rand" "encoding/json" "os" "path/filepath" @@ -101,10 +102,16 @@ func TestReadEnvFiles(t *testing.T) { err := os.Mkdir(envd, os.ModePerm) assert.NoError(t, err) + content := make([]byte, 1048576+1) + _, err = rand.Read(content) + assert.NoError(t, err) + err = os.WriteFile(filepath.Join(envd, "env1"), []byte("SFTPGO_SFTPD__MAX_AUTH_TRIES = 10"), 0666) assert.NoError(t, err) err = os.WriteFile(filepath.Join(envd, "env2"), []byte(`{"invalid env": "value"}`), 0666) assert.NoError(t, err) + err = os.WriteFile(filepath.Join(envd, "env3"), content, 0666) + assert.NoError(t, err) err = config.LoadConfig(configDir, "") assert.NoError(t, err)