gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3tables: add request body size limiting

Browse Source 
Add request body size limiting (10MB) to readRequestBody method:
- Define maxRequestBodySize constant to prevent unbounded reads
- Use io.LimitReader to enforce size limit
- Add explicit error handling for oversized requests
- Prevents potential DoS attacks via large request bodies
This commit is contained in:
Chris Lu
2026-01-28 14:54:45 -08:00
parent b142689232
commit e862888d2d
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
weed/s3api/s3tables/handler.go
View File

@@ -22,6 +22,9 @@ const (
ExtendedKeyMetadata = "s3tables.metadata" ExtendedKeyMetadata = "s3tables.metadata"
ExtendedKeyPolicy = "s3tables.policy" ExtendedKeyPolicy = "s3tables.policy"
ExtendedKeyTags = "s3tables.tags" ExtendedKeyTags = "s3tables.tags"
// Maximum request body size (10MB)
maxRequestBodySize = 10 * 1024 * 1024
) )
var ( var (
@@ -178,11 +181,19 @@ func (h *S3TablesHandler) getAccountID(r *http.Request) string {
func (h *S3TablesHandler) readRequestBody(r *http.Request, v interface{}) error { func (h *S3TablesHandler) readRequestBody(r *http.Request, v interface{}) error {
defer r.Body.Close() defer r.Body.Close()
body, err := io.ReadAll(r.Body)
// Limit request body size to prevent unbounded reads
limitedReader := io.LimitReader(r.Body, maxRequestBodySize+1)
body, err := io.ReadAll(limitedReader)
if err != nil { if err != nil {
return fmt.Errorf("failed to read request body: %w", err) return fmt.Errorf("failed to read request body: %w", err)
} }
// Check if body exceeds size limit
if len(body) > maxRequestBodySize {
return fmt.Errorf("request body too large: exceeds maximum size of %d bytes", maxRequestBodySize)
}
if len(body) == 0 { if len(body) == 0 {
return nil return nil
} }