Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add annotation to limit body size of incoming requests #26565

Open
LukasReschke opened this issue Apr 14, 2021 · 2 comments
Open

Add annotation to limit body size of incoming requests #26565

LukasReschke opened this issue Apr 14, 2021 · 2 comments
Assignees
@LukasReschke
Labels
1. to develop Accepted and waiting to be taken care of enhancement security
Projects
Security Hardenings Security

Comments

@LukasReschke
Copy link
Member

LukasReschke commented Apr 14, 2021
edited

As suggested by @blizzz, we should consider adding an annotation to the AppFramework that limits the incoming body size. This can help in cases where we could accidentally store too much data in the database.

The annotation could by default be set to a reasonably high limit such as 1MB, and the limit should be overwritable by developers. (or even completely disabled)
@LukasReschke LukasReschke added this to Backlog in Security Hardenings via automation Apr 14, 2021
@LukasReschke LukasReschke added this to Backlog in Security Apr 26, 2021
@szaimen szaimen added the 0. Needs triage Pending check for reproducibility or if it fits our roadmap label May 20, 2021
@LukasReschke LukasReschke moved this from Backlog to Planned in Security May 25, 2021
@LukasReschke LukasReschke self-assigned this May 25, 2021
@LukasReschke
Copy link
Member Author

LukasReschke commented May 25, 2021
edited

So this is slightly trickier than expected as there doesn't seem to be a straight forward way to access the size of the request without reading it fully. I'd however like to avoid reading the whole request into once before hitting the AppFramework. (my first intuition was writing an AppFramework middleware)

Other potential approaches:

  • Throw the exception when reading the variable inside Request.php of the AppFramework
  • ...?

@LukasReschke
Copy link
Member Author

(instead of a full strlen we could also do an isset on the element which could speed up things)

@szaimen szaimen added 1. to develop Accepted and waiting to be taken care of and removed 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Jul 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@LukasReschke LukasReschke

Labels
1. to develop Accepted and waiting to be taken care of enhancement security
Projects
Security
  
Planned
Security Hardenings
  
Backlog
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LukasReschke @szaimen