fix(security): limit API key creation body to 4 KiB (INPUT-2) (#3978)

Wrap req.Body with http.MaxBytesReader before io.ReadAll in CreateAPIKey. Requests with bodies larger than MaxAPIKeyBodySize (4 KiB) now return HTTP 413 instead of buffering arbitrary data. Add the MaxAPIKeyBodySize constant, update the Swagger @Failure annotation to document 413, and add a unit test. Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
2026-06-17 21:17:58 +08:00 · 2026-04-18 10:39:08 -07:00
parent 35c29b95e4
commit eadc9b65ed
6 changed files with 44 additions and 4 deletions
@@ -22,7 +22,9 @@ const (
 	MaxManifestDigestQueryTags = (8192 - 2048) / (len("tag=") + 128 + 1)
 	// MaxManifestBodySize is the maximum number of bytes accepted for a manifest PUT request body.
 	// OCI manifest JSON is always small metadata; 4 MiB is well above any realistic manifest.
-	MaxManifestBodySize          = 4 * 1024 * 1024
+	MaxManifestBodySize = 4 * 1024 * 1024
+	// MaxAPIKeyBodySize is the maximum number of bytes accepted for an API-key creation request body.
+	MaxAPIKeyBodySize            = 4 * 1024
 	BlobUploadUUID               = "Blob-Upload-UUID"
 	DefaultMediaType             = "application/json"
 	BinaryMediaType              = "application/octet-stream"