forked from molecule-ai/molecule-core
af9aae2c38
Two HIGH-severity DoS surfaces: both handlers read the entire HTTP body with io.ReadAll(r.Body) and no upper bound, so a caller streaming a multi-gigabyte request could exhaust memory on the tenant instance before we even validated the JSON. H3 (Discord webhook): wrap Body in io.LimitReader with a 1 MiB cap. Discord Interactions payloads are well under 10 KiB in practice. H4 (workspace config PATCH): wrap Body in http.MaxBytesReader with a 256 KiB cap. Real configs are <10 KiB; jsonb handles the cap comfortably. Returns 413 Request Entity Too Large on overflow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| adapter.go | ||
| channels_test.go | ||
| discord_test.go | ||
| discord.go | ||
| lark_test.go | ||
| lark.go | ||
| manager.go | ||
| registry.go | ||
| secret_test.go | ||
| secret.go | ||
| slack_test.go | ||
| slack.go | ||
| telegram.go | ||