It is not safe to read all stream body to memory without a max size limit. · valyala/fasthttp#1765

(8 留言) (0 反應) (0 負責人)Go (21,741 star) (1,755 fork)batch import

help wanted

描述

https://github.com/valyala/fasthttp/blob/57b9352ad1cc93a0aaaa72b2130e03ace8a5b118/http.go#L427 I think it would be safe to stop reading the request body into memory and return an error when it exceeds the maximum request body size. Otherwise, it may lead to an out-of-memory (OOM) error when the request body is too large.

技術棧: go
領域: backendsecurity
議題類型: bug
難度: 3
預計時間: 1-3 hours
活動狀態: fresh
清晰度: clear
前置要求: Go basicsHTTP server internals
新手友善度: 45
研究方向: The issue points to line 427 in http.go where the entire request body is read into memory without a size limit. To fix, add a check for a maximum request body size before reading, preferably using a configurable limit (e.g., MaxRequestBodySize). When exceeded, the read should stop and return an error, likely with a 413 status code. Ensure integration with the existing fasthttp request handling pipeline and consider any existing size settings.