From f37f609dffc45d2c46455c47b06682f6d9bd8dbf Mon Sep 17 00:00:00 2001
From: Crumb Owl <crumbowl@proton.me>
Date: Sun, 6 Jul 2025 19:37:14 +0000
Subject: [PATCH] ProductBarcode: backend: prevent DoS with image download

---
 .../app/api/handlers/v1/v1_ctrl_product_search.go    | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/backend/app/api/handlers/v1/v1_ctrl_product_search.go b/backend/app/api/handlers/v1/v1_ctrl_product_search.go
index ffd7733b..e9fae0ec 100644
--- a/backend/app/api/handlers/v1/v1_ctrl_product_search.go
+++ b/backend/app/api/handlers/v1/v1_ctrl_product_search.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"github.com/hay-kot/httpkit/errchain"
@@ -281,8 +282,17 @@ func (ctrl *V1Controller) HandleProductSearchFromBarcode(conf config.BarcodeAPIC
 				continue
 			}
 
+			// Check content type
+			contentType := res.Header.Get("Content-Type")
+			if !strings.HasPrefix(contentType, "image/") {
+				continue
+			}
+
+			// Limit image size to 8MB
+			limitedReader := io.LimitReader(res.Body, 8*1024*1024)
+
 			// Read data of image
-			bytes, err := io.ReadAll(res.Body)
+			bytes, err := io.ReadAll(limitedReader)
 			if err != nil {
 				log.Warn().Msg(err.Error())
 				continue