yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: add 1 MB payload size limit to webhook ingestion

Browse Source 
The webhook ingest endpoint read the entire request body with no size
limit, enabling memory exhaustion attacks. Add a 1 MB limit checked
via both Content-Length header (early reject) and actual body size.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-03 13:37:51 -07:00
committed by Abhimanyu Saharan
parent 5d382ed67b
commit 7ca4145aff
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
backend/app/api/board_webhooks.py
View File

@@ -496,7 +496,20 @@ async def ingest_board_webhook(
detail="Webhook is disabled.",
)
# Enforce a 1 MB payload size limit to prevent memory exhaustion.
max_payload_bytes = 1_048_576
content_length = request.headers.get("content-length")
if content_length and int(content_length) > max_payload_bytes:
raise HTTPException(
status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
detail=f"Payload exceeds maximum size of {max_payload_bytes} bytes.",
)
raw_body = await request.body()
if len(raw_body) > max_payload_bytes:
raise HTTPException(
status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
detail=f"Payload exceeds maximum size of {max_payload_bytes} bytes.",
)
_verify_webhook_signature(webhook, raw_body, request)
content_type = request.headers.get("content-type")