Skip to content

GitHub webhook endpoint reads the request body with no size limit (DoS) #329

Description

@cavidelizade

Summary

The GitHub webhook receiver reads the entire request body with no size cap, before it checks the signature, on an unauthenticated route. A single large POST can exhaust process memory.

Where

apps/api/internal/handler/integration.go, GitHubWebhook:

body, err := io.ReadAll(c.Request.Body)

The route is registered on the root engine (router/router.go, POST /webhooks/github) with only Recovery/Logger/CORS, no auth, no http.MaxBytesReader, and the server sets no body limit (only a 15s read timeout).

Impact

Anyone can POST a multi-gigabyte stream (or many concurrent ones) and drive the process out of memory. The signature check happens after the full read, so it doesn't help.

Suggested fix

Wrap the body in http.MaxBytesReader before reading. GitHub caps webhook payloads at 25 MB, so that's a reasonable ceiling.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions