ProductBarcode: backend: prevent DoS with image download

2025-12-24 22:39:14 +01:00 · 2025-07-06 19:37:14 +00:00
parent a980d9f243
commit f37f609dff
1 changed files with 11 additions and 1 deletions
--- a/backend/app/api/handlers/v1/v1_ctrl_product_search.go
+++ b/backend/app/api/handlers/v1/v1_ctrl_product_search.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"

 	"github.com/hay-kot/httpkit/errchain"
@@ -281,8 +282,17 @@ func (ctrl *V1Controller) HandleProductSearchFromBarcode(conf config.BarcodeAPIC
 				continue
 			}

+			// Check content type
+			contentType := res.Header.Get("Content-Type")
+			if !strings.HasPrefix(contentType, "image/") {
+				continue
+			}
+
+			// Limit image size to 8MB
+			limitedReader := io.LimitReader(res.Body, 8*1024*1024)
+
 			// Read data of image
-			bytes, err := io.ReadAll(res.Body)
+			bytes, err := io.ReadAll(limitedReader)
 			if err != nil {
 				log.Warn().Msg(err.Error())
 				continue