Add server side check for maximum secret size

closes #138 Signed-off-by: Knut Ahlers <knut@ahlers.me>
2023-10-21 19:35:57 +02:00 · 2023-10-21 19:35:57 +02:00 · 1623e09225
commit 1623e09225
parent 9a530e1c66
2 changed files with 6 additions and 0 deletions
--- a/api.go
+++ b/api.go
@ -70,6 +70,11 @@ func (a apiServer) handleCreate(res http.ResponseWriter, r *http.Request) {
 		return
 	}

+	if cust.MaxSecretSize > 0 && len(secret) > int(cust.MaxSecretSize) {
+		a.errorResponse(res, http.StatusBadRequest, errors.New("secret size exceeds maximum"), "")
+		return
+	}
+
 	id, err := a.store.Create(secret, time.Duration(expiry)*time.Second)
 	if err != nil {
 		a.errorResponse(res, http.StatusInternalServerError, err, "creating secret")
--- a/pkg/customization/customize.go
+++ b/pkg/customization/customize.go
@ -29,6 +29,7 @@ type (
 		DisableFileAttachment  bool   `json:"disableFileAttachment" yaml:"disableFileAttachment"`
 		MaxAttachmentSizeTotal int64  `json:"maxAttachmentSizeTotal" yaml:"maxAttachmentSizeTotal"`

+		MaxSecretSize     int64  `json:"-" yaml:"maxSecretSize"`
 		OverlayFSPath     string `json:"-" yaml:"overlayFSPath"`
 		UseFormalLanguage bool   `json:"-" yaml:"useFormalLanguage"`
 	}