From 15147cea8e42f6569a11603d661d71122f6a02dc Mon Sep 17 00:00:00 2001 From: Matthew Esposito Date: Wed, 19 Mar 2025 22:58:51 -0400 Subject: [PATCH] fix: add resource limits on encoded prefs route --- src/settings.rs | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/settings.rs b/src/settings.rs index 6649f69..2efbbba 100644 --- a/src/settings.rs +++ b/src/settings.rs @@ -11,6 +11,7 @@ use futures_lite::StreamExt; use hyper::{Body, Request, Response}; use rinja::Template; use time::{Duration, OffsetDateTime}; +use tokio::time::timeout; use url::form_urlencoded; // STRUCTS @@ -269,6 +270,10 @@ pub async fn encoded_restore(req: Request) -> Result, Strin .await .map_err(|e| format!("Failed to get bytes from request body: {}", e))?; + if body.len() > 1024 * 1024 { + return Err("Request body too large".to_string()); + } + let encoded_prefs = form_urlencoded::parse(&body) .find(|(key, _)| key == "encoded_prefs") .map(|(_, value)| value) @@ -276,9 +281,15 @@ pub async fn encoded_restore(req: Request) -> Result, Strin let bytes = base2048::decode(&encoded_prefs).ok_or_else(|| "Failed to decode base2048 encoded preferences".to_string())?; - let out = deflate_decompress(bytes)?; + let out = timeout(std::time::Duration::from_secs(1), async { deflate_decompress(bytes) }) + .await + .map_err(|e| format!("Failed to decompress bytes: {}", e))??; + + let mut prefs: Preferences = timeout(std::time::Duration::from_secs(1), async { bincode::deserialize(&out) }) + .await + .map_err(|e| format!("Failed to deserialize preferences: {}", e))? + .map_err(|e| format!("Failed to deserialize bytes into Preferences struct: {}", e))?; - let mut prefs: Preferences = bincode::deserialize(&out).map_err(|e| format!("Failed to deserialize bytes into Preferences struct: {}", e))?; prefs.available_themes = vec![]; let url = format!("/settings/restore/?{}", prefs.to_urlencoded()?);