Use LimitReader to avoid DoS by evil endpoints

jhrozek · jhrozek · commit bfa5b201ca7f · 2025-09-04T11:22:23.000+01:00
diff --git a/pkg/auth/token.go b/pkg/auth/token.go
@@ -123,8 +123,10 @@ func (g *GoogleProvider) IntrospectToken(ctx context.Context, token string) (jwt
 	}
 	defer resp.Body.Close()
 
-	// Read the response
-	body, err := io.ReadAll(resp.Body)
+	// Read the response with a reasonable limit to prevent DoS attacks
+	const maxResponseSize = 64 * 1024 // 64KB should be more than enough for tokeninfo response
+	limitedReader := io.LimitReader(resp.Body, maxResponseSize)
+	body, err := io.ReadAll(limitedReader)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read Google tokeninfo response: %w", err)
 	}
@@ -297,8 +299,10 @@ func (r *RFC7662Provider) IntrospectToken(ctx context.Context, token string) (jw
 	}
 	defer resp.Body.Close()
 
-	// Read response body
-	body, err := io.ReadAll(resp.Body)
+	// Read response body with a reasonable limit to prevent DoS attacks
+	const maxResponseSize = 64 * 1024 // 64KB should be more than enough for introspection response
+	limitedReader := io.LimitReader(resp.Body, maxResponseSize)
+	body, err := io.ReadAll(limitedReader)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read introspection response: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -123,8 +123,10 @@ func (g *GoogleProvider) IntrospectToken(ctx context.Context, token string) (jwt`
`123`	`123`	`}`
`124`	`124`	`defer resp.Body.Close()`
`125`	`125`
`126`		`- // Read the response`
`127`		`- body, err := io.ReadAll(resp.Body)`
	`126`	`+ // Read the response with a reasonable limit to prevent DoS attacks`
	`127`	`+ const maxResponseSize = 64 * 1024 // 64KB should be more than enough for tokeninfo response`
	`128`	`+ limitedReader := io.LimitReader(resp.Body, maxResponseSize)`
	`129`	`+ body, err := io.ReadAll(limitedReader)`
`128`	`130`	`if err != nil {`
`129`	`131`	`return nil, fmt.Errorf("failed to read Google tokeninfo response: %w", err)`
`130`	`132`	`}`
`@@ -297,8 +299,10 @@ func (r *RFC7662Provider) IntrospectToken(ctx context.Context, token string) (jw`
`297`	`299`	`}`
`298`	`300`	`defer resp.Body.Close()`
`299`	`301`
`300`		`- // Read response body`
`301`		`- body, err := io.ReadAll(resp.Body)`
	`302`	`+ // Read response body with a reasonable limit to prevent DoS attacks`
	`303`	`+ const maxResponseSize = 64 * 1024 // 64KB should be more than enough for introspection response`
	`304`	`+ limitedReader := io.LimitReader(resp.Body, maxResponseSize)`
	`305`	`+ body, err := io.ReadAll(limitedReader)`
`302`	`306`	`if err != nil {`
`303`	`307`	`return nil, fmt.Errorf("failed to read introspection response: %w", err)`
`304`	`308`	`}`