Security: Unbounded request body reading enables DoS attacks

[sgaunet]

Description

The server reads entire request bodies into memory without any size limit, enabling memory exhaustion DoS attacks.

Location

http-echo.go:66

body, _ := io.ReadAll(r.Body)

Impact

• Severity: HIGH (Security)
• Attack Vector: Send requests with multi-GB bodies
• Memory exhaustion leading to OOM kills
• Service unavailability
• Potential for cascading failures in container environments

Vulnerability Details

An attacker can send arbitrarily large request bodies:

# Attack example
dd if=/dev/zero bs=1M count=10000 | curl -X POST -H "Content-Type: application/octet-stream" --data-binary @- http://target:8080/

Even with MaxHeaderBytes: 1MB configured, this only limits headers, not the request body.

Recommended Fix

Use io.LimitReader to enforce a maximum body size:

const maxBodySize = 10 << 20 // 10MB

func (h helloWorldhandler) collectRequestInfo(r *http.Request, startTime time.Time) requestInfo {
    defer r.Body.Close()
    
    // Parse form data
    _ = r.ParseForm()
    
    // Read body with size limit
    limitedReader := io.LimitReader(r.Body, maxBodySize)
    body, err := io.ReadAll(limitedReader)
    if err \!= nil {
        log.Printf("Body read error: %v", err)
        body = []byte("(body read error)")
    }
    
    // ... rest of function
}

Alternative Approach

For stricter enforcement, use http.MaxBytesReader:

r.Body = http.MaxBytesReader(w, r.Body, maxBodySize)
body, err := io.ReadAll(r.Body)
if err \!= nil {
    http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge)
    return
}

Testing

• Send requests with bodies > 10MB
• Verify they are truncated or rejected
• Confirm memory usage stays bounded under attack
• Load test with concurrent large requests

Priority

High - Security vulnerability that should be patched before production use.

References

• OWASP: Denial of Service
• Go http.MaxBytesReader