eric/mailpit
1
0
Fork 0
mirror of https://github.com/axllent/mailpit.git synced 2026-06-27 22:46:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Security: Limit proxy requests to 50MB to prevent OOM attacks

Browse Source
This commit is contained in:
Ralph Slooten
2026-03-09 12:30:16 +13:00
parent 267bf8b639
commit f8052e1d56
1 changed files with 13 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
server/handlers/proxy.go
View File

@@ -23,6 +23,12 @@ import (
"github.com/axllent/mailpit/internal/tools"
)
const (
// maxProxyBodySize is the maximum number of bytes read from a proxied
// response body (fonts, images, CSS). Prevents OOM on oversized responses.
maxProxyBodySize = 50 * 1024 * 1024 // 50 MB
)
var (
linkRe = regexp.MustCompile(`(?i)^https?:\/\/`)
@@ -164,12 +170,18 @@ func ProxyHandler(w http.ResponseWriter, r *http.Request) {
return
}
body, err := io.ReadAll(resp.Body)
limitedBody := io.LimitReader(resp.Body, maxProxyBodySize+1)
body, err := io.ReadAll(limitedBody)
if err != nil {
logger.Log().Warnf("[proxy] %s", err.Error())
httpError(w, "Error: invalid request")
return
}
if int64(len(body)) > maxProxyBodySize {
logger.Log().Warnf("[proxy] response body for %s exceeds %d bytes, blocking", uri, maxProxyBodySize)
httpError(w, "Error: response too large")
return
}
// relay common headers
w.Header().Set("content-type", ct)