Limit reads from untrusted sources

jholdstock · jholdstock · commit 09f68036791e · 2026-04-23T09:29:43.000+08:00
diff --git a/service.go b/service.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2017-2025 The Decred developers
+// Copyright (c) 2017-2026 The Decred developers
 // Use of this source code is governed by an ISC
 // license that can be found in the LICENSE file.
 
@@ -190,7 +190,7 @@ func (service *Service) getHTTP(url string) ([]byte, error) {
 			url, poolResp.StatusCode)
 	}
 
-	respBody, err := io.ReadAll(poolResp.Body)
+	respBody, err := io.ReadAll(io.LimitReader(poolResp.Body, 1<<20)) // 1 MiB limit
 	if err != nil {
 		return nil, fmt.Errorf("%v: failed to read body: %w", url, err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Copyright (c) 2017-2025 The Decred developers`
	`1`	`+// Copyright (c) 2017-2026 The Decred developers`
`2`	`2`	`// Use of this source code is governed by an ISC`
`3`	`3`	`// license that can be found in the LICENSE file.`
`4`	`4`
`@@ -190,7 +190,7 @@ func (service *Service) getHTTP(url string) ([]byte, error) {`
`190`	`190`	`url, poolResp.StatusCode)`
`191`	`191`	`}`
`192`	`192`
`193`		`- respBody, err := io.ReadAll(poolResp.Body)`
	`193`	`+ respBody, err := io.ReadAll(io.LimitReader(poolResp.Body, 1<<20)) // 1 MiB limit`
`194`	`194`	`if err != nil {`
`195`	`195`	`return nil, fmt.Errorf("%v: failed to read body: %w", url, err)`
`196`	`196`	`}`