Skip to content

fix: context passing and response size limit #864

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: context passing and response size limit #864

wants to merge 1 commit into from
+9 −5

Conversation

alnr
Copy link
Contributor

@alnr alnr commented Sep 8, 2025

Stumbled across this by chance.

@alnr alnr requested review from hperl and zepatrik September 8, 2025 15:11
@alnr alnr self-assigned this Sep 8, 2025
@alnr alnr requested review from aeneasr and a team as code owners September 8, 2025 15:11
gaultier
gaultier approved these changes Sep 9, 2025
View reviewed changes
Copy link

@gaultier gaultier left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but there's something wrong with the CI setup

vivshankar
vivshankar reviewed Sep 9, 2025
View reviewed changes
authorize_request_handler.go
return errorsx.WithStack(ErrInvalidRequestURI.WithHintf("Unable to fetch OpenID Connect request parameters from 'request_uri' because: %s.", err.Error()).WithWrap(err).WithDebug(err.Error()))
}
defer response.Body.Close()
response.Body = io.NopCloser(io.LimitReader(response.Body, 10*1024*1024)) // limit to 10MiB
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the limit be configurable? You could make it a config property in Fosite struct itself.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that's necessary. This is a defence mechanism only. Do you think 10MiB is too small?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hard to say, particularly with RAR. I don't see any reason why it shouldn't be parameterized.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any reason why it shouldn't be parameterized.

The reason is that it's more complicated (more code).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO this should be controlled by the OP using Fosite. Perhaps just a property in the struct? It doesn't have to be a full blown Configurator...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gaultier gaultier gaultier approved these changes

@hperl hperl Awaiting requested review from hperl

@zepatrik zepatrik Awaiting requested review from zepatrik

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

+1 more reviewer

@vivshankar vivshankar vivshankar left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@alnr alnr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alnr @vivshankar @gaultier