fix: limit HTTP response size

ory · Nov 27, 2024 · 2559819 · 2559819
1 parent fa21711
commit 2559819
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/client/validator.go b/client/validator.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/url"
 	"strings"
 
@@ -233,6 +234,7 @@ func (v *Validator) ValidateSectorIdentifierURL(ctx context.Context, location st
 		return errorsx.WithStack(ErrInvalidClientMetadata.WithDebug(fmt.Sprintf("Unable to connect to URL set by sector_identifier_uri: %s", err)))
 	}
 	defer response.Body.Close()
+	response.Body = io.NopCloser(io.LimitReader(response.Body, 5<<20 /* 5 MiB */))
 
 	var urls []string
 	if err := json.NewDecoder(response.Body).Decode(&urls); err != nil {

diff --git a/consent/strategy_default.go b/consent/strategy_default.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	stderrs "errors"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -790,6 +791,7 @@ func (s *DefaultStrategy) executeBackChannelLogout(r *http.Request, subject, sid
 			return
 		}
 		defer res.Body.Close()
+		res.Body = io.NopCloser(io.LimitReader(res.Body, 1<<20 /* 1 MB */)) // in case we ever start to read this response
 
 		if res.StatusCode != http.StatusOK && res.StatusCode != http.StatusNoContent {
 			log.WithError(errors.Errorf("expected HTTP status code %d or %d but got %d", http.StatusOK, http.StatusNoContent, res.StatusCode)).

diff --git a/oauth2/token_hook.go b/oauth2/token_hook.go
@@ -7,6 +7,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"io"
 	"net/http"
 
 	"github.com/pkg/errors"
@@ -112,6 +113,7 @@ func executeHookAndUpdateSession(ctx context.Context, reg x.HTTPClientProvider,
 		)
 	}
 	defer resp.Body.Close()
+	resp.Body = io.NopCloser(io.LimitReader(resp.Body, 5<<20 /* 5 MiB */))
 
 	switch resp.StatusCode {
 	case http.StatusOK: