1
0
forked from GRIN/grim
Files
goblin/src
2ro d47a71a03b fix(http): cap collected response body size to prevent OOM DoS
HTTP response bodies were collected with no size limit on both the Tor
path (tor::request_once) and the clearnet path (http::clearnet_once),
each doing into_body().collect().to_vec() unbounded. A compromised or
malicious name-authority, relay-pool gist, NIP-11 relay-info, or price
endpoint could stream a multi-GB body and OOM the wallet. The websocket
path already caps frames at 4 MiB; HTTP did not.

Add a shared collect_body_capped() that rejects an oversized
Content-Length up front and bounds the actual streamed read frame by
frame (catching a lying/absent Content-Length), returning a clean Err
instead of panicking. Cap is 8 MiB: comfortably above every legitimate
response (relay-pool gist, NIP-05/.well-known/by-pubkey JSON, NIP-11
info, price/fee JSON are all a few KiB; the 1 MiB avatar PNG is the
largest) and a touch above the 4 MiB websocket ceiling, so nothing real
is clipped.
2026-07-10 15:36:29 -04:00
..