Skip to content

fix(handlers): add MaxBytesReader to compose and AMA handlers#139

Merged
vnykmshr merged 1 commit into
mainfrom
fix/body-limit-hardening
Jul 3, 2026
Merged

fix(handlers): add MaxBytesReader to compose and AMA handlers#139
vnykmshr merged 1 commit into
mainfrom
fix/body-limit-hardening

Conversation

@vnykmshr

@vnykmshr vnykmshr commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

HandleSubmit, HandleEdit, and AMA Answer were the only POST handlers without MaxBytesReader. Oversized bodies now return 413 instead of silently truncating or consuming unlimited memory.

H1: Compose HandleSubmit + HandleEdit — 1MB limit, ParseForm overflow detection, 413 on overflow.
H2: AMA Answer — 64KB limit (matches other public POST handlers), isBodyTooLarge check before JSON bind.

3 regression tests: oversized compose submission, oversized compose edit, oversized AMA answer. All assert 413.

Threat-hunt finding: todos/security/reports/threat-hunt-2026-07-03.md.

HandleSubmit, HandleEdit, and AMA Answer were the only POST
handlers without MaxBytesReader. Oversized bodies now return
413 instead of silently truncating or consuming unlimited memory.
@vnykmshr vnykmshr merged commit a9ecf61 into main Jul 3, 2026
6 checks passed
@vnykmshr vnykmshr deleted the fix/body-limit-hardening branch July 3, 2026 03:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant