fix(fetchers): enforce body size limits for registry JSON by chaliy · Pull Request #119 · everruns/fetchkit

chaliy · 2026-05-17T16:47:35Z

The PackageRegistryFetcher previously used Response::json() which buffers the entire decompressed response body, bypassing the repository's existing body-size cap and creating an OOM/DoS risk for large or malicious registry metadata.

Reused the default fetcher's read_body_with_timeout and applied options.max_body_size.unwrap_or(DEFAULT_MAX_BODY_SIZE) in PackageRegistryFetcher::fetch to restore bounded reads.
Replaced unbounded resp.json().await calls with a bounded read followed by serde_json::from_slice(&body) for PyPI, crates.io, and npm handlers.
Propagated a max_body_size: usize parameter to fetch_pypi, fetch_crates_io, and fetch_npm and preserved existing output formatting and behavior.
Committed under fix(fetchers): enforce body size limits for registry JSON to address the introduced vulnerability with minimal behavioral change.

Ran cargo fmt --all which completed successfully.
Ran targeted tests with cargo test -p fetchkit package_registry -- --nocapture and all package-registry-related unit tests passed (8 passed, 0 failed).
Built and ran fetchkit test profile during the run which finished successfully for the exercised targets.

…ability

fix(fetchers): enforce body size limits for registry JSON

123886c

chaliy added codex aardvark labels May 17, 2026 — with ChatGPT Codex Connector

Merge branch 'main' into 2026-05-17-fix-unbounded-json-parsing-vulner…

7475241

…ability

chaliy merged commit 8f76539 into main May 17, 2026
11 checks passed

chaliy deleted the 2026-05-17-fix-unbounded-json-parsing-vulnerability branch May 17, 2026 18:25

Provide feedback