Commit a00a3460 authored by Jacob Vosmaer's avatar Jacob Vosmaer

Don't buffer unlimited data in memory

parent 23a16410
...@@ -20,6 +20,8 @@ import ( ...@@ -20,6 +20,8 @@ import (
"gitlab.com/gitlab-org/gitlab-workhorse/internal/helper" "gitlab.com/gitlab-org/gitlab-workhorse/internal/helper"
) )
const uploadPackRequestLimit = 1000000
func GetInfoRefs(a *api.API) http.Handler { func GetInfoRefs(a *api.API) http.Handler {
return repoPreAuthorizeHandler(a, handleGetInfoRefs) return repoPreAuthorizeHandler(a, handleGetInfoRefs)
} }
...@@ -115,8 +117,8 @@ func handlePostRPC(w http.ResponseWriter, r *http.Request, a *api.Response) { ...@@ -115,8 +117,8 @@ func handlePostRPC(w http.ResponseWriter, r *http.Request, a *api.Response) {
} }
if action == "git-upload-pack" { if action == "git-upload-pack" {
buffer := &bytes.Buffer{} buffer, err := bufferPostBody(r.Body)
if _, err := io.Copy(buffer, r.Body); err != nil { if err != nil {
helper.Fail500(w, r, &copyError{fmt.Errorf("handlePostRPC: buffer git-upload-pack body: %v")}) helper.Fail500(w, r, &copyError{fmt.Errorf("handlePostRPC: buffer git-upload-pack body: %v")})
return return
} }
...@@ -192,3 +194,12 @@ func isExitError(err error) bool { ...@@ -192,3 +194,12 @@ func isExitError(err error) bool {
func subCommand(rpc string) string { func subCommand(rpc string) string {
return strings.TrimPrefix(rpc, "git-") return strings.TrimPrefix(rpc, "git-")
} }
func bufferPostBody(body io.Reader) (*bytes.Buffer, error) {
buffer := &bytes.Buffer{}
n, err := io.Copy(buffer, &io.LimitedReader{R: body, N: uploadPackRequestLimit})
if err == nil && n == uploadPackRequestLimit {
err = fmt.Errorf("request body too large (more than %d bytes)", uploadPackRequestLimit-1)
}
return buffer, err
}
package git
import (
"bytes"
"testing"
)
func TestBufferPostBodyLimiting(t *testing.T) {
_, err := bufferPostBody(bytes.NewReader(make([]byte, 2000000)))
t.Log(err)
if err == nil {
t.Fatalf("expected an error, received nil")
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment