Skip to content

Security: OAuth callback HTTP request line is read without length limit#732

Open
kumburovicbranko682-boop wants to merge 1 commit into
jpochyla:mainfrom
kumburovicbranko682-boop:contribai/fix/security/oauth-callback-http-request-line-is-read
Open

Security: OAuth callback HTTP request line is read without length limit#732
kumburovicbranko682-boop wants to merge 1 commit into
jpochyla:mainfrom
kumburovicbranko682-boop:contribai/fix/security/oauth-callback-http-request-line-is-read

Conversation

@kumburovicbranko682-boop

Copy link
Copy Markdown

Problem

The handle_callback_connection function uses reader.read_line(&mut request_line) with no bound on the size of the line an attacker can send. A malicious process on localhost can open a TCP connection to 127.0.0.1:8888 and stream gigabytes of data without a newline, causing unbounded memory allocation until the process is OOM-killed. While the listener only runs during the OAuth sign-in window, any local process or script can exploit this.

Severity: medium
File: psst-core/src/oauth.rs

Solution

Read with a size limit using BufRead::read_line replacement or a manual loop with a cap. For example, limit to 8 KiB:

Changes

  • psst-core/src/oauth.rs (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

…h limit

The `handle_callback_connection` function uses `reader.read_line(&mut request_line)` with no bound on the size of the line an attacker can send. A malicious process on localhost can open a TCP connection to 127.0.0.1:8888 and stream gigabytes of data without a newline, causing unbounded memory allocation until the process is OOM-killed. While the listener only runs during the OAuth sign-in window, any local process or script can exploit this.


Affected files: oauth.rs

Signed-off-by: kumburovicbranko682-boop <295886834+kumburovicbranko682-boop@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant