- Notifications
You must be signed in to change notification settings - Fork1k
chore: bring back x-auth-checks with a length limit#19928
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Changes fromall commits
File filter
Filter by extension
Conversations
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -9,6 +9,14 @@ import ( | ||||||||||||
| "github.com/coder/coder/v2/coderd/rbac" | ||||||||||||
| ) | ||||||||||||
| // The x-authz-checks header can end up being >10KB in size on certain queries. | ||||||||||||
| // Many HTTP clients will fail if a header or the response head as a whole is | ||||||||||||
| // too long to prevent malicious responses from consuming all of the client's | ||||||||||||
| // memory. I've seen reports that browsers have this limit as low as 4KB for the | ||||||||||||
| // entire response head, so we limit this header to a little less than 2KB, | ||||||||||||
| // ensuring there's still plenty of room for the usual smaller headers. | ||||||||||||
| const maxHeaderLength = 2000 | ||||||||||||
| // This is defined separately in slim builds to avoid importing the rbac | ||||||||||||
| // package, which is a large dependency. | ||||||||||||
| func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) { | ||||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. We could technically find the size of the other headers to, and check how large they are. Then make sure they never exceed 4kb | ||||||||||||
| @@ -23,6 +31,11 @@ func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) { | ||||||||||||
| // configured on server startup for development and testing builds. | ||||||||||||
| // - If this header is missing from a response, make sure the response is | ||||||||||||
| // being written by calling `httpapi.Write`! | ||||||||||||
| checks := rec.String() | ||||||||||||
| if len(checks) > maxHeaderLength { | ||||||||||||
| checks = checks[:maxHeaderLength] | ||||||||||||
| checks += "<truncated>" | ||||||||||||
Comment on lines +36 to +37 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Nit: Won't this result in a header that is 2011 bytes long, since Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. I thought about that, but figured it wouldn't hurt to let it be a tiny bit longer 😄 | ||||||||||||
| } | ||||||||||||
| rw.Header().Set("x-authz-checks", checks) | ||||||||||||
| } | ||||||||||||
| } | ||||||||||||
Uh oh!
There was an error while loading.Please reload this page.