fix(security): limit manifest PUT body to 4 MiB (INPUT-1) (#3977)

Wrap request.Body with http.MaxBytesReader before io.ReadAll in UpdateManifest. Bodies exceeding MaxManifestBodySize (4 MiB) now return HTTP 413 with a MANIFEST_INVALID error body instead of buffering unlimited data into memory. Add the MaxManifestBodySize constant and a unit test that sends an oversized body and asserts the 413 status. Agent-Logs-Url: https://github.com/project-zot/zot/sessions/5eca86eb-9749-4cf8-9fb8-7b9ace2ba87f Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
2026-06-17 21:17:58 +08:00 · 2026-04-17 13:10:51 -07:00
parent 3bc5f97b51
commit 35c29b95e4
6 changed files with 61 additions and 11 deletions
@@ -778,6 +778,12 @@
                            "type": "string"
                        }
                    },
+                    "413": {
+                        "description": "request entity too large",
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
                    "414": {
                        "description": "too many tag query parameters",
                        "schema": {