github
/
prometheus
mirror of https://github.com/prometheus/prometheus
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

limit size of POST requests against remote read endpoint (#4239) 

This commit fixes a denial-of-service issue of the remote
read endpoint. It limits the size of the POST request body
to 32 MB such that clients cannot write arbitrary amounts
of data to the server memory.

Fixes #4238

Signed-off-by: Andreas Auernhammer <aead@mail.de>
pull/4213/head
Andreas Auernhammer 2018-06-08 09:19:20 +02:00 committed by Brian Brazil
parent 32223e1dfb
commit 37d1bcf495
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
storage/remote/codec.go
View File

@ -15,6 +15,7 @@ package remote
import (
"fmt"
"io"
"io/ioutil"
"net/http"
"sort"
@ -28,9 +29,12 @@ import (
"github.com/prometheus/prometheus/storage"
)
// decodeReadLimit is the maximum size of a read request body in bytes.
const decodeReadLimit = 32 * 1024 * 1024
// DecodeReadRequest reads a remote.Request from a http.Request.
func DecodeReadRequest(r *http.Request) (*prompb.ReadRequest, error) {
compressed, err := ioutil.ReadAll(r.Body)
compressed, err := ioutil.ReadAll(io.LimitReader(r.Body, decodeReadLimit))
if err != nil {
return nil, err
}