limit webhook payload size in ValidatePayloadFromBody

Author: YooLCD

github/messages.go

@@ -42,6 +42,10 @@ const (
 	EventTypeHeader = "X-Github-Event"
 	// DeliveryIDHeader is the GitHub header key used to pass the unique ID for the webhook event.
 	DeliveryIDHeader = "X-Github-Delivery"
+
+	// maxPayloadSize is the maximum size of a GitHub webhook payload.
+	// GitHub documents a 25 MB limit for webhook payloads.
+	maxPayloadSize = 25 * 1024 * 1024
 )
 
 var (
@@ -199,9 +203,12 @@ func ValidatePayloadFromBody(contentType string, readable io.Reader, signature s
 	switch contentType {
 	case "application/json":
 		var err error
-		if body, err = io.ReadAll(readable); err != nil {
+		if body, err = io.ReadAll(io.LimitReader(readable, maxPayloadSize+1)); err != nil {
 			return nil, err
 		}
+		if int64(len(body)) > maxPayloadSize {
+			return nil, errors.New("webhook payload exceeds maximum allowed size")
+		}
 
 		// If the content type is application/json,
 		// the JSON payload is just the original body.
@@ -213,9 +220,12 @@ func ValidatePayloadFromBody(contentType string, readable io.Reader, signature s
 		const payloadFormParam = "payload"
 
 		var err error
-		if body, err = io.ReadAll(readable); err != nil {
+		if body, err = io.ReadAll(io.LimitReader(readable, maxPayloadSize+1)); err != nil {
 			return nil, err
 		}
+		if int64(len(body)) > maxPayloadSize {
+			return nil, errors.New("webhook payload exceeds maximum allowed size")
+		}
 
 		// If the content type is application/x-www-form-urlencoded,
 		// the JSON payload will be under the "payload" form param.

github/messages_test.go

@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -205,6 +206,16 @@ func (b *badReader) Read([]byte) (int, error) {
 
 func (b *badReader) Close() error { return errors.New("bad reader") }
 
+// infiniteReader is an io.Reader that returns zeros indefinitely.
+type infiniteReader struct{}
+
+func (infiniteReader) Read(p []byte) (int, error) {
+	for i := range p {
+		p[i] = 0
+	}
+	return len(p), nil
+}
+
 func TestValidatePayload_BadRequestBody(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
@@ -228,6 +239,31 @@ func TestValidatePayload_BadRequestBody(t *testing.T) {
 	}
 }
 
+func TestValidatePayload_OversizedBody(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		contentType string
+	}{
+		{contentType: "application/json"},
+		{contentType: "application/x-www-form-urlencoded"},
+	}
+
+	for i, tt := range tests {
+		t.Run(fmt.Sprintf("test #%v", i), func(t *testing.T) {
+			t.Parallel()
+			// Simulate a reader that reports more than maxPayloadSize bytes.
+			oversized := io.LimitReader(infiniteReader{}, maxPayloadSize+1)
+			req := &http.Request{
+				Header: http.Header{"Content-Type": []string{tt.contentType}},
+				Body:   io.NopCloser(oversized),
+			}
+			if _, err := ValidatePayload(req, nil); err == nil {
+				t.Fatal("ValidatePayload returned nil; want error for oversized body")
+			}
+		})
+	}
+}
+
 func TestValidatePayload_InvalidContentTypeParams(t *testing.T) {
 	t.Parallel()
 	req, err := http.NewRequest("POST", "http://localhost/event", nil)