pkg/api/api0: Reject pdata with too much trailing junk

author: pg9182 <96569817+pg9182@users.noreply.github.com> 2022-10-13 13:22:59 -0400
committer: pg9182 <96569817+pg9182@users.noreply.github.com> 2022-10-13 13:22:59 -0400
commit: c4dbaf2658963a41939b5e111059d280b4a54c97 (patch)
tree: 4875077704c6082ac5347f23a9e82e675b9e7782 /pkg/api
parent: b44b58dc18410b99b4ca2860b4964b974708606e (diff)
download: Atlas-c4dbaf2658963a41939b5e111059d280b4a54c97.tar.gz
Atlas-c4dbaf2658963a41939b5e111059d280b4a54c97.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/pkg/api/api0/accounts.go b/pkg/api/api0/accounts.go
index 408179d..6faa1b9 100644
--- a/pkg/api/api0/accounts.go
+++ b/pkg/api/api0/accounts.go
@@ -83,6 +83,18 @@ func (h *Handler) handleAccountsWritePersistence(w http.ResponseWriter, r *http.
 		return
 	}
 
+	if len(pd.ExtraData) > 512 { // arbitrary limit
+		hlog.FromRequest(r).Warn().
+			Err(err).
+			Msgf("pdata with too much trailing junk rejected")
+		respJSON(w, r, http.StatusBadRequest, map[string]any{
+			"success": false,
+			"error":   ErrorCode_BAD_REQUEST,
+			"msg":     ErrorCode_BAD_REQUEST.Messagef("invalid pdata"),
+		})
+		return
+	}
+
 	uidQ := r.URL.Query().Get("id")
 	if uidQ == "" {
 		respJSON(w, r, http.StatusBadRequest, map[string]any{
author	pg9182 <96569817+pg9182@users.noreply.github.com>	2022-10-13 13:22:59 -0400
committer	pg9182 <96569817+pg9182@users.noreply.github.com>	2022-10-13 13:22:59 -0400
commit	c4dbaf2658963a41939b5e111059d280b4a54c97 (patch)
tree	4875077704c6082ac5347f23a9e82e675b9e7782 /pkg/api
parent	b44b58dc18410b99b4ca2860b4964b974708606e (diff)
download	Atlas-c4dbaf2658963a41939b5e111059d280b4a54c97.tar.gz Atlas-c4dbaf2658963a41939b5e111059d280b4a54c97.zip