fix(sources): cap decompressed body to prevent OOM#25488
Draft
pront wants to merge 2 commits into
Draft
Conversation
The shared decompress_body helper used by http_server, prometheus_remote_write, prometheus_pushgateway, heroku_logs, and the opentelemetry HTTP receiver previously read the gzip/deflate/zstd/snappy output into an unbounded Vec. A single unauthenticated POST with a small compressed bomb could OOM-kill the Vector process. Cap the decompressed payload at 100 MiB and return HTTP 413 when exceeded. gzip/deflate/zstd are wrapped with io::Take; snappy is rejected up front via snap::raw::decompress_len before allocating. Also short-circuit at the warp layer when the declared Content-Length already exceeds the cap. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
the
domain: sources
decompress_body is pub, but DEFAULT_MAX_DECOMPRESSED_BODY_SIZE and decompress_body_with_limit are pub(crate). The intra-doc link lint fails CI under #![deny(warnings)] when public docs reference private items. Inline the 100 MiB number in the doc comment instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
decompress_body(shared byhttp_server,prometheus_remote_write,prometheus_pushgateway,heroku_logs, and theopentelemetryHTTP receiver) decoded gzip/deflate/zstd/snappy request bodies into an unboundedVec. A single unauthenticated POST with a small compressed bomb could OOM-kill Vector in a fraction of a second.This PR caps the decompressed payload at 100 MiB and returns HTTP 413 when exceeded. The cap is a constant for now; a follow-up can expose it as a config field if needed.
Vector configuration
No configuration changes.
How did you test this PR?
Unit tests in
encoding.rsplus an end-to-end test inhttp_serverthat posts a 200 MiB gzip bomb and asserts a 413 response.Change Type
Is this a breaking change?
Does this PR include user facing changes?