Summary
The GitHub webhook receiver reads the entire request body with no size cap, before it checks the signature, on an unauthenticated route. A single large POST can exhaust process memory.
Where
apps/api/internal/handler/integration.go, GitHubWebhook:
body, err := io.ReadAll(c.Request.Body)
The route is registered on the root engine (router/router.go, POST /webhooks/github) with only Recovery/Logger/CORS, no auth, no http.MaxBytesReader, and the server sets no body limit (only a 15s read timeout).
Impact
Anyone can POST a multi-gigabyte stream (or many concurrent ones) and drive the process out of memory. The signature check happens after the full read, so it doesn't help.
Suggested fix
Wrap the body in http.MaxBytesReader before reading. GitHub caps webhook payloads at 25 MB, so that's a reasonable ceiling.
Summary
The GitHub webhook receiver reads the entire request body with no size cap, before it checks the signature, on an unauthenticated route. A single large POST can exhaust process memory.
Where
apps/api/internal/handler/integration.go,GitHubWebhook:The route is registered on the root engine (
router/router.go,POST /webhooks/github) with only Recovery/Logger/CORS, no auth, nohttp.MaxBytesReader, and the server sets no body limit (only a 15s read timeout).Impact
Anyone can POST a multi-gigabyte stream (or many concurrent ones) and drive the process out of memory. The signature check happens after the full read, so it doesn't help.
Suggested fix
Wrap the body in
http.MaxBytesReaderbefore reading. GitHub caps webhook payloads at 25 MB, so that's a reasonable ceiling.