Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add post payload length protection for auth pages
  • Loading branch information
darh committed Mar 1, 2022
1 parent 820a401 commit 72c93c0
Showing 1 changed file with 38 additions and 0 deletions.
38 changes: 38 additions & 0 deletions auth/handlers/handler.go
Expand Up @@ -134,6 +134,12 @@ const (
TmplMfaTotp = "mfa-totp.html.tpl"
TmplMfaTotpDisable = "mfa-totp-disable.html.tpl"
TmplInternalError = "error-internal.html.tpl"

// 1k of data per POST field is all we allow
maxPostValueLength = 2 << 9

// general limitation on number of fields
maxPostFields = 10
)

func init() {
Expand All @@ -146,6 +152,7 @@ func init() {
// handles auth request and prepares request struct with request, session and response helper
func (h *AuthHandlers) handle(fn handlerFn) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {

var (
req = &request.AuthReq{
Response: w,
Expand All @@ -169,6 +176,11 @@ func (h *AuthHandlers) handle(fn handlerFn) http.HandlerFunc {
return
}

if !validFormPost(r) {
req.Status = http.StatusRequestEntityTooLarge
return
}

req.Client = request.GetOauth2Client(req.Session)

req.AuthUser = request.GetAuthUser(req.Session)
Expand Down Expand Up @@ -413,3 +425,29 @@ func anonyOnly(fn handlerFn) handlerFn {
func translator(req *request.AuthReq, ns string) func(key string, rr ...string) string {
return req.Locale.NS(req.Context(), ns)
}

// general validation of posted data
//
// quite primitive for now but should be effective against out-of-bounds attacks
//
// in the future, more sophisticated validation might be needed
func validFormPost(r *http.Request) bool {
if len(r.Form) > maxPostFields {
// auth does not have any large forms
return false
}

// None of the values from the post fields should be longer than max length
for k, _ := range r.Form {
if len(r.Form[k]) > 1 {
// assuming only one value per field!
return false
}

if len(r.Form[k][0]) > maxPostValueLength {
return false
}
}

return true
}

0 comments on commit 72c93c0

Please sign in to comment.