fix: Limit HTTP error response body reads to prevent OOM#4191
Merged
gmlewis merged 4 commits intogoogle:masterfrom May 8, 2026
Merged
fix: Limit HTTP error response body reads to prevent OOM#4191gmlewis merged 4 commits intogoogle:masterfrom
gmlewis merged 4 commits intogoogle:masterfrom
Conversation
alexandear
reviewed
May 7, 2026
alexandear
reviewed
May 7, 2026
CheckResponse and the AcceptedError handler in bareDo both read HTTP error response bodies with no size limit: data, err := io.ReadAll(r.Body) // CheckResponse b, readErr := io.ReadAll(resp.Body) // AcceptedError A server returning a very large error body causes the client to exhaust memory. Wrap both reads with io.LimitReader capped at 1 MiB — sufficient for any real GitHub API error JSON. The webhook payload path already applies a 25 MiB limit in messages.go; this brings the error-response paths into alignment.
evilgensec
force-pushed
the
fix/limit-error-response-body-size
branch
from
192b849 to
499cf82
Compare
gmlewis
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #4191 +/- ##
=======================================
Coverage 93.71% 93.71%
=======================================
Files 209 209
Lines 19772 19772
=======================================
Hits 18529 18529
Misses 1046 1046
Partials 197 197 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Add two tests verifying that HTTP error response bodies are capped at maxErrorBodySize bytes: - TestCheckResponse_LargeBodyTruncated: sends a body of maxErrorBodySize+1 bytes to a non-2xx response; asserts the body restored on the response is exactly maxErrorBodySize bytes after CheckResponse returns. - TestDo_AcceptedError_LargeBodyTruncated: serves a 202 Accepted with a body of maxErrorBodySize+1 bytes; asserts AcceptedError.Raw is exactly maxErrorBodySize bytes.
evilgensec
force-pushed
the
fix/limit-error-response-body-size
branch
from
8a06894 to
a791678
Compare
alexandear
approved these changes
May 8, 2026
gmlewis
approved these changes
May 8, 2026
Collaborator
gmlewis
left a comment
gmlewis
left a comment
There was a problem hiding this comment.
Thank you, @evilgensec and @alexandear!
LGTM.
Merging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Two paths in
github.goread HTTP error response bodies with no size limit:A server returning a very large error body causes the client process to exhaust memory. The webhook payload path already applies a 25 MiB limit via
io.LimitReaderinmessages.go; the error-response paths had no equivalent guard.Fix
Wrap both reads with
io.LimitReadercapped atmaxErrorBodySize(1 MiB):All existing tests pass.