Cap config-sync response size and allowlist edited_by#89
Merged
Conversation
curl now passes --max-filesize 131072 (128 KiB) for both POST helpers so a misbehaving server cannot fill /tmp on a disk-constrained feeder. The config-sync response decoder additionally drops any field whose edited_by is not in {feeder, website, legacy}, mirroring the server's own ChoiceField allowlist on the inbound side.
Codex flagged that the dropped-field warn log emitted the attacker-controlled edited_by value unquoted. jq @TSV already strips tabs/newlines, but a value containing spaces or embedded `=` could forge extra key=value pairs in the structured journal stream. Cap the logged token at 64 chars, escape any literal double-quotes, and wrap it in quotes so a downstream log parser sees one field.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two small defensive changes on the feeder side, both prompted by a threat-model review of the config-sync response path.
The HTTP helpers in apl-feed/http.sh now pass
--max-filesize 131072(128 KiB) to curl, bounding the response body that lands in the feeder's /tmp. The realistic well-formed responses for the status, config-sync, and diagnostics endpoints are all well below that; the cap exists so a compromised or buggy server cannot push a multi-megabyte body in the 30s --max-time window and exhaust an SD-card-backed feeder's tmpfs.The config-sync response decoder also drops any field whose edited_by value falls outside the {feeder, website, legacy} set — the same allowlist the server's serializer enforces on inbound requests. Today nothing on the feeder evaluates edited_by beyond writing it to feed.meta.json, but the asymmetry was worth closing: a future render path that trusts the choice should not have to rediscover it.