Security: Unbounded request body reading enables DoS attacks #33
Description
Description
The server reads entire request bodies into memory without any size limit, enabling memory exhaustion DoS attacks.
Location
http-echo.go:66
body, _ := io.ReadAll(r.Body)Impact
- Severity: HIGH (Security)
- Attack Vector: Send requests with multi-GB bodies
- Memory exhaustion leading to OOM kills
- Service unavailability
- Potential for cascading failures in container environments
Vulnerability Details
An attacker can send arbitrarily large request bodies:
# Attack example
dd if=/dev/zero bs=1M count=10000 | curl -X POST -H "Content-Type: application/octet-stream" --data-binary @- http://target:8080/Even with MaxHeaderBytes: 1MB configured, this only limits headers, not the request body.
Recommended Fix
Use io.LimitReader to enforce a maximum body size:
const maxBodySize = 10 << 20 // 10MB
func (h helloWorldhandler) collectRequestInfo(r *http.Request, startTime time.Time) requestInfo {
defer r.Body.Close()
// Parse form data
_ = r.ParseForm()
// Read body with size limit
limitedReader := io.LimitReader(r.Body, maxBodySize)
body, err := io.ReadAll(limitedReader)
if err \!= nil {
log.Printf("Body read error: %v", err)
body = []byte("(body read error)")
}
// ... rest of function
}Alternative Approach
For stricter enforcement, use http.MaxBytesReader:
r.Body = http.MaxBytesReader(w, r.Body, maxBodySize)
body, err := io.ReadAll(r.Body)
if err \!= nil {
http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge)
return
}Testing
- Send requests with bodies > 10MB
- Verify they are truncated or rejected
- Confirm memory usage stays bounded under attack
- Load test with concurrent large requests
Priority
High - Security vulnerability that should be patched before production use.