chore(server): restrict gzip deflated body size

Restricts the size of the decompressed request body when using gzip.
2020-11-30 15:20:20 +00:00 · 2020-11-30 15:20:20 +00:00 · 19b0ff284d
parent 867aba847a
commit 19b0ff284d
1 changed files with 4 additions and 0 deletions
--- a/src/server/http_routes.rs
+++ b/src/server/http_routes.rs
@ -188,6 +188,10 @@ async fn parse_body(req: hyper::Request<Body>) -> Result<Bytes, ApplicationError
    if ungzip {
        use std::io::Read;
        let decoder = flate2::read::GzDecoder::new(&body[..]);
+
+        // Read at most MAX_SIZE bytes to prevent a decompression bomb based
+        // DoS.
+        let mut decoder = decoder.take(MAX_SIZE as u64);
        let mut decoded_data = Vec::new();
        decoder
            .read_to_end(&mut decoded_data)