Limit read of well-known files #1

New issue

Open

opened 2026-03-19 21:13:32 +00:00 by Jade · 12 comments

Jade commented 2026-03-19 21:13:32 +00:00

Owner

Copy link

CWE-409 or similar

CWE-409 or similar

s1lv3r commented 2026-04-14 23:31:55 +00:00

Contributor

Copy link

with "limit read" here do you mean like limit how much data is read?

with "limit read" here do you mean like limit how much data is read?

Henry-Hiles commented 2026-04-14 23:34:24 +00:00

Copy link

@s1lv3r wrote in #1 (comment):

with "limit read" here do you mean like limit how much data is read?

I think so, to avoid e.g. zip bombs

@s1lv3r wrote in https://forgejo.ellis.link/continuwuation/resolvematrix/issues/1#issuecomment-28052: > with "limit read" here do you mean like limit how much data is read? I think so, to avoid e.g. zip bombs

Henry-Hiles commented 2026-04-14 23:34:38 +00:00

Copy link

Something similar to spider size for URL previews could be used I guess?

Something similar to spider size for URL previews could be used I guess?

s1lv3r commented 2026-04-14 23:39:29 +00:00

Contributor

Copy link

or set a hardcoded max of like 1MB, no reasonable well-known file will ever be above that size

or set a hardcoded max of like 1MB, no reasonable well-known file will ever be above that size

👍 1

Jade commented 2026-04-14 23:40:09 +00:00

Author

Owner

Copy link

It's just an option that needs to be passed to reqwest iirc, not too hard to do.

It's just an option that needs to be passed to reqwest iirc, not too hard to do.

s1lv3r commented 2026-04-15 00:07:25 +00:00

Contributor

Copy link

Looked into it, would have to be done using either:

• Response::content_length(): Not always known
• Chunking, reading e.g. 8096 bytes at a time, adding to a Vec, counting the total (as described in https://github.com/seanmonstar/reqwest/issues/848)

Probably the easiest to do the former, and fall back to the latter if the former fails. Will start an implementation.

Looked into it, would have to be done using either: - [`Response::content_length()`](https://docs.rs/reqwest/latest/reqwest/struct.Response.html#method.content_length): Not always known - Chunking, reading e.g. 8096 bytes at a time, adding to a `Vec`, counting the total (as described in https://github.com/seanmonstar/reqwest/issues/848) Probably the easiest to do the former, and fall back to the latter if the former fails. Will start an implementation.

Henry-Hiles commented 2026-04-15 00:08:50 +00:00

Copy link

@s1lv3r wrote in #1 (comment):

Looked into it, would have to be done using either:

* [`Response::content_length()`](https://docs.rs/reqwest/latest/reqwest/struct.Response.html#method.content_length): Not always known

One of the reasons this isnt known is

The response is gzipped and automatically decoded (thus changing the actual decoded length).

Given the CWE this is trying to avoid is with GZIP/compressed content, I would say that way is not helpful really.

@s1lv3r wrote in https://forgejo.ellis.link/continuwuation/resolvematrix/issues/1#issuecomment-28061: > Looked into it, would have to be done using either: > > * [`Response::content_length()`](https://docs.rs/reqwest/latest/reqwest/struct.Response.html#method.content_length): Not always known One of the reasons this isnt known is > The response is gzipped and automatically decoded (thus changing the actual decoded length). > Given the CWE this is trying to avoid is with GZIP/compressed content, I would say that way is not helpful really.

Henry-Hiles commented 2026-04-15 00:09:26 +00:00

Copy link

Anyways, I thought jade said it was just one param

Anyways, I thought jade said it was just one param

s1lv3r commented 2026-04-15 00:09:58 +00:00

Contributor

Copy link

I thought so too, doesn't look like it from what I could find

I thought so too, doesn't look like it from what I could find

Jade commented 2026-04-15 00:13:33 +00:00

Author

Owner

Copy link

It's already done in Continuwuity, I was just going to copy from there

It's already done in Continuwuity, I was just going to copy from there

s1lv3r commented 2026-04-15 00:14:33 +00:00

Contributor

Copy link

oh

good idea, might as well yeah

oh good idea, might as well yeah

s1lv3r referenced this issue from continuwuation/continuwuity 2026-04-19 12:20:34 +00:00

Rewrite resolver service #1505

nex added a new dependency 2026-04-28 03:52:11 +00:00

continuwuation/continuwuity#1505 - Rewrite resolver service

nex commented 2026-04-28 03:52:59 +00:00

Owner

Copy link

@Jade wrote in #1 (comment):

It's already done in Continuwuity, I was just going to copy from there

Relevant file: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/src/core/utils/response.rs

@Jade wrote in https://forgejo.ellis.link/continuwuation/resolvematrix/issues/1#issuecomment-28065: > It's already done in Continuwuity, I was just going to copy from there Relevant file: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/src/core/utils/response.rs

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

4 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks

#1505 Rewrite resolver service

continuwuation/continuwuity

Reference

continuwuation/resolvematrix#1

No description provided.