From 1623e09225a1136b50de4cdebb79e69c399b0a55 Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Sat, 21 Oct 2023 19:35:57 +0200 Subject: [PATCH] Add server side check for maximum secret size closes #138 Signed-off-by: Knut Ahlers --- api.go | 5 +++++ pkg/customization/customize.go | 1 + 2 files changed, 6 insertions(+) diff --git a/api.go b/api.go index 09e91c9..4c7a610 100644 --- a/api.go +++ b/api.go @@ -70,6 +70,11 @@ func (a apiServer) handleCreate(res http.ResponseWriter, r *http.Request) { return } + if cust.MaxSecretSize > 0 && len(secret) > int(cust.MaxSecretSize) { + a.errorResponse(res, http.StatusBadRequest, errors.New("secret size exceeds maximum"), "") + return + } + id, err := a.store.Create(secret, time.Duration(expiry)*time.Second) if err != nil { a.errorResponse(res, http.StatusInternalServerError, err, "creating secret") diff --git a/pkg/customization/customize.go b/pkg/customization/customize.go index ecce967..1069b85 100644 --- a/pkg/customization/customize.go +++ b/pkg/customization/customize.go @@ -29,6 +29,7 @@ type ( DisableFileAttachment bool `json:"disableFileAttachment" yaml:"disableFileAttachment"` MaxAttachmentSizeTotal int64 `json:"maxAttachmentSizeTotal" yaml:"maxAttachmentSizeTotal"` + MaxSecretSize int64 `json:"-" yaml:"maxSecretSize"` OverlayFSPath string `json:"-" yaml:"overlayFSPath"` UseFormalLanguage bool `json:"-" yaml:"useFormalLanguage"` }