limit request size, zipbomb

Author: evict

README.md

@@ -119,6 +119,7 @@ Run <code><strong>src login <i>SOURCEGRAPH-URL</i></strong></code> to authentica
 
 - `SRC_ENDPOINT`: the URL to your Sourcegraph instance (such as `https://sourcegraph.example.com`)
 - `SRC_ACCESS_TOKEN`: your Sourcegraph access token (on your Sourcegraph instance, click your user menu in the top right, then select **Settings > Access tokens** to create one)
+- `SRC_MAX_REQUESTSIZE_MB`: maximum request body size in MB for git operations (default: 10)
 
 For convenience, you can add these environment variables persistently. 
 

internal/servegit/gitservice.go

@@ -17,6 +17,17 @@ import (
 	"github.com/sourcegraph/sourcegraph/lib/errors"
 )
 
+const defaultMaxFileSizeMB = 10
+
+func maxRequestSize() int64 {
+	if v := os.Getenv("SRC_MAX_REQUESTSIZE_MB"); v != "" {
+		if mb, err := strconv.ParseInt(v, 10, 64); err == nil && mb > 0 {
+			return mb * 1024 * 1024
+		}
+	}
+	return defaultMaxFileSizeMB * 1024 * 1024
+}
+
 var uploadPackArgs = []string{
 	// Partial clones/fetches
 	"-c", "uploadpack.allowFilter=true",
@@ -109,10 +120,9 @@ func (s *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	body := r.Body
+	body := io.NopCloser(io.LimitReader(r.Body, maxRequestSize()))
 	defer body.Close()
 
-	// TODO(@evict) max filereader
 	if r.Header.Get("Content-Encoding") == "gzip" {
 		gzipReader, err := gzip.NewReader(body)
 		if err != nil {
@@ -121,7 +131,7 @@ func (s *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 		defer gzipReader.Close()
 
-		body = gzipReader
+		body = io.NopCloser(io.LimitReader(gzipReader, maxRequestSize()))
 	}
 
 	// err is set if we fail to run command or have an unexpected svc. It is