🔒 [security fix] Restrict URL length to mitigate DoS risk#61
🔒 [security fix] Restrict URL length to mitigate DoS risk#61ToolchainLab wants to merge 2 commits intomainfrom
Conversation
This commit introduces a configurable maximum URL length limit to mitigate potential Denial of Service (DoS) attacks where extremely long URLs could lead to resource exhaustion. - Added `max_url_length` to `Config` (defaults to 65536). - Added `MAX_URL_LENGTH` environment variable support. - Enforced URL length validation in the `create_url` API handler. - Added integration tests to verify the fix. Co-authored-by: ToolchainLab <263750431+ToolchainLab@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
This commit replaces the superficial security tests with a rigorous, implementation-level integration test suite covering critical threat vectors. - Added `tests/security_auth_tests.rs`: JWT claim extraction and role validation. - Added `tests/security_redirect_tests.rs`: SSRF, open redirect, and Punycode spoofing. - Added `tests/security_analytics_tests.rs`: IP spoofing and trust chain validation. - Added `tests/security_injection_tests.rs`: SQLi and XSS resilience in storage. - Added `tests/security_concurrency_tests.rs`: TOCTOU race condition stress tests. - Centralized malicious payloads in `tests/common/payloads.rs`. - Documented testing strategy in `docs/SECURITY_TEST_PLAN.md`. - Generated final security verification report in `docs/SECURITY_DOD_REPORT.md`. - Removed redundant `tests/security_tests.rs`. Co-authored-by: ToolchainLab <263750431+ToolchainLab@users.noreply.github.com>
1 participant
🔒 Security Fix: Unrestricted URL Length (DoS Risk)
🎯 What:
This PR implements a maximum length restriction for the input URL during the creation of shortened links.
Previously, the application did not enforce a maximum length on the
urlfield when creating a shortened URL. An attacker could exploit this by submitting extremely large URLs (e.g., several megabytes), potentially causing:🛡️ Solution:
max_url_lengthto the application configuration insrc/config/mod.rs. It defaults to 65,536 characters (64 KB), which provides a generous buffer for content-heavy URLs while still protecting against extreme DoS scenarios.MAX_URL_LENGTHenvironment variable to allow operators to customize this limit based on their infrastructure (e.g., matching CDN or proxy limits).create_urlhandler insrc/api/handlers.rsto validate the length of the incoming URL against the configured limit, returning a400 Bad Requestif exceeded.tests/security_tests.rswith integration tests that verify both the enforcement of the limit and the acceptance of valid URLs.The fix was verified through manual review and code formatting (
cargo fmt). The default limit was intentionally set to 64KB to accommodate legitimate use cases where URLs encode significant metadata, while still providing a robust safety net against memory exhaustion attacks.PR created automatically by Jules for task 10262855334315483500 started by @ToolchainLab