limit response bodies

master
magical 2021-12-31 22:24:58 +00:00
parent 808cc164f1
commit ac5bfa7ad7
1 changed files with 61 additions and 1 deletions

View File

@ -3,6 +3,7 @@ package main
import (
"bytes"
"context"
"errors"
"fmt"
"io"
"log"
@ -17,9 +18,12 @@ import (
"golang.org/x/net/html/atom"
)
const maxResponseSize = 1e6 // 1MB
// https://docs.joinmastodon.org/spec/microformats/
// Root elements (h-*)
//
// h-feed
// Represents a stream of entries. Attached to a profile's toots. Also
// attached to the parent thread within detailed status views.
@ -127,8 +131,9 @@ func (src *MastoSource) update(ctx context.Context) {
}
// TODO: cache body
body := MaxBytesReader(resp.Body, maxResponseSize)
feed, err := parseMicroformats(resp.Body)
feed, err := parseMicroformats(body)
if err != nil {
err := fmt.Errorf("error parsing %q: %w", src.URL, err)
log.Println(err)
@ -202,3 +207,58 @@ func text(s *goquery.Selection) string {
return buf.String()
}
// MaxBytesReader is similar to io.LimitReader but is intended for
// limiting the size of incoming request bodies. In contrast to
// io.LimitReader, MaxBytesReader's result is a ReadCloser, returns a
// non-EOF error for a Read beyond the limit, and closes the
// underlying reader when its Close method is called.
//
// MaxBytesReader prevents clients from accidentally or maliciously
// sending a large request and wasting server resources.
//
// Based on http.MaxBytesReader
func MaxBytesReader(r io.ReadCloser, n int64) io.ReadCloser {
if n < 0 { // Treat negative limits as equivalent to 0.
n = 0
}
return &maxBytesReader{r: r, n: n}
}
type maxBytesReader struct {
r io.ReadCloser // underlying reader
n int64 // max bytes remaining
err error // sticky error
}
func (l *maxBytesReader) Read(p []byte) (n int, err error) {
if l.err != nil {
return 0, l.err
}
if len(p) == 0 {
return 0, nil
}
// If they asked for a 32KB byte read but only 5 bytes are
// remaining, no need to read 32KB. 6 bytes will answer the
// question of the whether we hit the limit or go past it.
if int64(len(p)) > l.n+1 {
p = p[:l.n+1]
}
n, err = l.r.Read(p)
if int64(n) <= l.n {
l.n -= int64(n)
l.err = err
return n, err
}
n = int(l.n)
l.n = 0
l.err = errors.New("http: response body too large")
return n, l.err
}
func (l *maxBytesReader) Close() error {
return l.r.Close()
}