Skip to content

SECVULN-29092 DoS handled for kvs_endpoint.go #22916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Oct 14, 2025
Merged

SECVULN-29092 DoS handled for kvs_endpoint.go #22916

Changes from 3 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
635cda0
SECVULN-29092 Dos handled
Manishakumari-hc Oct 10, 2025
14f630c
SECVULN-29092 Dos handled
Manishakumari-hc Oct 10, 2025
9ebb5e0
Error handling for request with no content-length
Manishakumari-hc Oct 13, 2025
db69840
Error handling for request with no content-length
Manishakumari-hc Oct 13, 2025
b8fa0b4
addressed changelog
Manishakumari-hc Oct 13, 2025
6ed93a9
addressed changelog
Manishakumari-hc Oct 13, 2025
ebec61b
changed variable scope
Manishakumari-hc Oct 13, 2025
37727e3
handle requests with no content-length and allowed size
Manishakumari-hc Oct 13, 2025
3a0d477
handle validations of content length
Manishakumari-hc Oct 13, 2025
870f498
changed byteReader to maxByteReader
Manishakumari-hc Oct 13, 2025
1542fbf
changed byteReader to maxByteReader
Manishakumari-hc Oct 13, 2025
91475c9
added tets case for the added code
Manishakumari-hc Oct 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 17 additions & 7 deletions agent/kvs_endpoint.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,20 +234,30 @@
}

// Check the content-length
if req.ContentLength > int64(s.agent.config.KVMaxValueSize) {
maxSize := int64(s.agent.config.KVMaxValueSize)

switch {
case req.ContentLength < 0:
Copy link
Contributor

@sanikachavan5 sanikachavan5 Oct 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
case req.ContentLength < 0:
case !req.ContentLength || req.ContentLength <= 0:

return nil, HTTPError{
StatusCode: http.StatusBadRequest,
Reason: fmt.Sprintf("Request does not specify content-length .Expected content-length between 1 and %d .", maxSize),
}
case req.ContentLength > maxSize:
return nil, HTTPError{
StatusCode: http.StatusRequestEntityTooLarge,
Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.",
req.ContentLength, s.agent.config.KVMaxValueSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
req.ContentLength, maxSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
}
}

// Copy the value
buf := bytes.NewBuffer(nil)
if _, err := io.Copy(buf, req.Body); err != nil {
return nil, err
default:
// Copy the value
buf := bytes.NewBuffer(nil)
if _, err := io.Copy(buf, req.Body); err != nil {
return nil, err
}
}
Copy link
Contributor

@sanikachavan5 sanikachavan5 Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't add jira tickets to oss repo prs.


Copy link
Contributor

@sanikachavan5 sanikachavan5 Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add unit tests for this.

applyReq.DirEnt.Value = buf.Bytes()

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / dev-build / build 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / lint-enums 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / lint-enums 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / lint-enums 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / lint-enums 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / lint-enums 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / lint-32bit / lint 

undefined: buf (typecheck)

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / integration-test-with-deployer 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / lint / lint 

undefined: buf (typecheck)

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / build-amd64 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / build-386 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / dev-build / build 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / goldenfile-check 

undefined: buf

Check failure on line 260 in agent/kvs_endpoint.go

View workflow job for this annotation

GitHub Actions / build-arm 

undefined: buf

// Make the RPC
var out bool
Expand Down
Loading