Describe the bug
In view/html.go, when fetching remote images for HTML email rendering, io.ReadAll(resp.Body) reads the entire response body without any size limit. A malicious HTML email could reference a very large image URL (or a URL that streams infinite data slowly), causing excessive memory usage or hanging.
resp, err := client.Get(url)
// ...
data, err := io.ReadAll(resp.Body)
While the HTTP client has a 5-second timeout, a slow-drip response within that timeout could still deliver significant data.
To reproduce
- Receive an HTML email with an
<img> tag pointing to a URL that serves a very large file
- Open the email in matcha
- Memory usage spikes as the entire response is read into memory
Expected behavior
Use io.LimitReader(resp.Body, maxSize) to cap the response body (e.g. 10MB), similar to how the plugin HTTP API limits responses to 1MB.
OS
All platforms
Describe the bug
In
view/html.go, when fetching remote images for HTML email rendering,io.ReadAll(resp.Body)reads the entire response body without any size limit. A malicious HTML email could reference a very large image URL (or a URL that streams infinite data slowly), causing excessive memory usage or hanging.While the HTTP client has a 5-second timeout, a slow-drip response within that timeout could still deliver significant data.
To reproduce
<img>tag pointing to a URL that serves a very large fileExpected behavior
Use
io.LimitReader(resp.Body, maxSize)to cap the response body (e.g. 10MB), similar to how the plugin HTTP API limits responses to 1MB.OS
All platforms