Security: Unbounded form data parsing enables DoS attacks #34
Description
Description
The ParseForm() call has no size limit, allowing attackers to send massive multipart forms that exhaust memory and CPU.
Location
http-echo.go:63
_ = r.ParseForm()Impact
- Severity: HIGH (Security)
- Attack Vector: Send multipart form data with thousands of fields or large files
- Memory exhaustion from form data storage
- CPU exhaustion from parsing operations
- Service unavailability
Vulnerability Details
Multipart form parsing can be exploited:
# Attack example: 10,000 form fields
curl -X POST -F "$(for i in {1..10000}; do echo "field$i=value$i"; done | tr '\n' '&')" http://target:8080/Recommended Fix
Use http.MaxBytesReader before parsing to enforce size limits:
const maxBodySize = 10 << 20 // 10MB
func (h helloWorldhandler) collectRequestInfo(r *http.Request, startTime time.Time) requestInfo {
defer r.Body.Close()
// Limit request body size before parsing
r.Body = http.MaxBytesReader(w, r.Body, maxBodySize)
// Parse form data with size protection
if err := r.ParseForm(); err \!= nil {
log.Printf("Form parse error (possibly too large): %v", err)
// Optionally return error response
}
// Read remaining body
body, _ := io.ReadAll(r.Body)
// ... rest of function
}Note: This requires passing http.ResponseWriter to collectRequestInfo.
Alternative Approach
Set MaxBytesReader at the handler level:
func (h helloWorldhandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
startTime := time.Now()
// Limit request size for the entire handler
r.Body = http.MaxBytesReader(w, r.Body, maxBodySize)
// Collect request information
info := h.collectRequestInfo(r, startTime)
// ... rest of handler
}Testing
- Send multipart forms with > 10MB total size
- Send forms with thousands of fields
- Verify requests are rejected with 413 status
- Confirm memory usage stays bounded
Priority
High - Security vulnerability that should be patched for production use.
Related Issues
- Update badges #3 (Unbounded body reading)