fix(security): limit API key creation body to 4 KiB (INPUT-2) (#3978)

Wrap req.Body with http.MaxBytesReader before io.ReadAll in CreateAPIKey. Requests with bodies larger than MaxAPIKeyBodySize (4 KiB) now return HTTP 413 instead of buffering arbitrary data. Add the MaxAPIKeyBodySize constant, update the Swagger @Failure annotation to document 413, and add a unit test. Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
2026-06-17 12:58:02 +08:00 · 2026-04-18 10:39:08 -07:00
parent 35c29b95e4
commit eadc9b65ed
6 changed files with 44 additions and 4 deletions
@@ -1099,6 +1099,12 @@ const docTemplate = `{
                            "type": "string"
                        }
                    },
+                    "413": {
+                        "description": "request entity too large",
+                        "schema": {
+                            "type": "string"
+                        }
+                    },
                    "500": {
                        "description": "internal server error",
                        "schema": {