security: limit max content length to prevent a possible dos attack (#…

…423) **Relative Issues:** Resolve #412 **Describe the pull request** This pull request addresses a potential security vulnerability by limiting the maximum content length accepted by the application. This measure helps to prevent possible Denial of Service (DoS) attacks that could be executed by sending excessively large payloads to the server. By enforcing a reasonable content length limit, we can maintain the application's stability and security while minimizing the risk of disruption from malicious actors. **Checklist** - [x] I have linked the relative issue to this pull request - [x] I have made the modifications or added tests related to my PR - [x] I have added/updated the documentation for my RP - [x] I put my PR in Ready for Review only when all the checklist is checked **Breaking changes ?** no **Additional context** A Directive Overloading occurs when a user can send a query with many consecutive directives and overload the parser of the app. Actually `gqlgen` don't allow us to add a fixed limit. I will work on gqlgen project to see if this can be implemented to respect the GraphQL 16 specifications about Directive Overloading.
42atomys · Apr 9, 2023 · a70bfc7 · a70bfc7
1 parent f7696e4
commit a70bfc7
Show file tree

Hide file tree

Showing 8 changed files with 106 additions and 55 deletions.
diff --git a/cmd/api.go b/cmd/api.go
@@ -1,17 +1,21 @@
 package cmd
 
 import (
+	"bytes"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"os"
 	"strings"
+	"time"
 
 	"entgo.io/contrib/entgql"
 	"github.com/99designs/gqlgen/graphql/handler"
 	"github.com/99designs/gqlgen/graphql/handler/extension"
 	"github.com/99designs/gqlgen/graphql/playground"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
 	_ "github.com/lib/pq"
 	"github.com/rs/cors"
 	"github.com/rs/zerolog/log"
@@ -67,12 +71,47 @@ var apiCmd = &cobra.Command{
 			AllowCredentials: true,
 			Debug:            os.Getenv("DEBUG") == "true",
 		}).Handler)
+
+		router.Use(middleware.Timeout(60*time.Second), middleware.RealIP)
 		router.Use(api.AuthzByPolicyMiddleware)
 		router.Use(api.AuthenticationMiddleware)
 		if os.Getenv("DEBUG") == "true" {
 			router.Use(api.LoggingMiddleware)
 		}
 
+		if os.Getenv("DEBUG_PPROF") == "true" {
+			router.Mount("/debug", middleware.Profiler())
+		}
+
+		// Limit the request body size for all requests to the
+		// This is based on the chi middleware.RequestSize. Way this middleware is
+		// added to the router to use it
+		// https://github.com/go-chi/chi/blob/master/middleware/request_size.go
+		router.Use(func(h http.Handler) http.Handler {
+			fn := func(w http.ResponseWriter, r *http.Request) {
+
+				// When image transfer is enabled, the request body size is limited.
+				// This is done to prevent the server from being overloaded by large
+				// DoS attack over the network.
+				const _50KB = (1 << 10) * 50
+
+				limitedBody := http.MaxBytesReader(w, r.Body, _50KB)
+				bodyBytes, err := ioutil.ReadAll(limitedBody)
+				limitedBody.Close()
+
+				// if r.Body reach the max size limit, the request will be canceled
+				// and the error will be returned to the client
+				if r.ContentLength > _50KB || err != nil {
+					http.Error(w, http.StatusText(http.StatusRequestEntityTooLarge), http.StatusRequestEntityTooLarge)
+					return
+				}
+
+				r.Body = ioutil.NopCloser(bytes.NewBuffer(bodyBytes))
+				h.ServeHTTP(w, r)
+			}
+			return http.HandlerFunc(fn)
+		})
+
 		if *playgroudActive {
 			router.Handle("/", playground.Handler("GraphQL playground", "/graphql"))
 			log.Info().Msgf("connect to http://localhost:%s/ for GraphQL playground", *apiPortFlag)

diff --git a/deploy/stacks/apps/s42/api.tf b/deploy/stacks/apps/s42/api.tf
@@ -16,7 +16,7 @@ module "api" {
   replicas = 1
   autoscaling = {
     enabled     = true
-    minReplicas = 1
+    minReplicas = 2
     maxReplicas = 10
     metrics = {
       cpu = {

diff --git a/deploy/stacks/apps/s42/interface.tf b/deploy/stacks/apps/s42/interface.tf
@@ -35,7 +35,7 @@ module "interface" {
   replicas = 1
   autoscaling = {
     enabled     = true
-    minReplicas = 1
+    minReplicas = 2
     maxReplicas = 10
     metrics = {
       cpu = {

diff --git a/deploy/stacks/apps/s42/jwtks_service.tf b/deploy/stacks/apps/s42/jwtks_service.tf
@@ -17,7 +17,7 @@ module "jwtks_service" {
   replicas = 1
   autoscaling = {
     enabled     = true
-    minReplicas = 1
+    minReplicas = 2
     maxReplicas = 10
     metrics = {
       cpu = {

diff --git a/go.mod b/go.mod
@@ -5,11 +5,10 @@ go 1.18
 require (
 	entgo.io/contrib v0.3.0
 	entgo.io/ent v0.11.4
-	github.com/99designs/gqlgen v0.17.5-0.20220428154617-9250f9ac1f90
+	github.com/99designs/gqlgen v0.17.28
 	github.com/bwmarrin/discordgo v0.25.0
 	github.com/getsentry/sentry-go v0.13.0
-	github.com/go-chi/chi v1.5.4
-	github.com/go-chi/chi/v5 v5.0.7
+	github.com/go-chi/chi/v5 v5.0.8
 	github.com/google/go-github/v47 v47.0.1-0.20220822225427-243bda850b1f
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-multierror v1.1.1
@@ -22,16 +21,16 @@ require (
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/viper v1.10.1
 	github.com/streadway/amqp v1.0.0
-	github.com/stretchr/testify v1.8.1
-	github.com/vektah/gqlparser/v2 v2.4.3-0.20220508162109-d3d9eb001575
+	github.com/stretchr/testify v1.8.2
+	github.com/vektah/gqlparser/v2 v2.5.1
 	github.com/vmihailenco/msgpack/v5 v5.0.0-beta.9
 	go.opentelemetry.io/otel v1.9.0
 	go.opentelemetry.io/otel/exporters/jaeger v1.9.0
 	go.opentelemetry.io/otel/sdk v1.9.0
 	go.opentelemetry.io/otel/trace v1.9.0
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 	google.golang.org/grpc v1.47.0
-	google.golang.org/protobuf v1.28.0
+	google.golang.org/protobuf v1.28.1
 )
 
 require (
@@ -53,7 +52,7 @@ require (
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.13.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
@@ -80,11 +79,11 @@ require (
 	github.com/vmihailenco/tagparser v0.1.2 // indirect
 	github.com/zclconf/go-cty v1.8.0 // indirect
 	golang.org/x/crypto v0.0.0-20220517005047-85d78b3ac167 // indirect
-	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/net v0.0.0-20220722155237-a158d28d115b // indirect
-	golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/tools v0.1.13-0.20220804200503-81c7dc4e4efa // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/net v0.6.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect