Merge commit from fork

blotus · blotus · commit 54a0dfe6c16b · 2026-05-11T09:51:19.000+02:00
* lapi: enforce a maximum body size

* add tests
diff --git a/pkg/apiserver/body_limit_test.go b/pkg/apiserver/body_limit_test.go
@@ -0,0 +1,135 @@
+package apiserver
+
+import (
+	"bytes"
+	"compress/gzip"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	middlewares "github.com/crowdsecurity/crowdsec/pkg/apiserver/middlewares/v1"
+)
+
+// When the MaxBytesReader cap is exceeded, encoding/json surfaces this error
+// string from the underlying read. The handlers return it verbatim in the 400
+// response, which lets us assert the middleware is the actual rejecter (as
+// opposed to a parse or validation error on a truncated body).
+const bodyTooLargeMsg = "http: request body too large"
+
+// TestBodyLimit_UnauthenticatedOverLimit posts a JSON document larger than the
+// 2 MiB cap on the unauthenticated /v1/watchers endpoint and asserts the
+// middleware trips.
+func TestBodyLimit_UnauthenticatedOverLimit(t *testing.T) {
+	ctx := t.Context()
+	router, _ := NewAPITest(t, ctx)
+
+	body := oversizedJSON(t, int(middlewares.UnauthenticatedBodyLimit)+1024)
+
+	w := httptest.NewRecorder()
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, "/v1/watchers", strings.NewReader(body))
+	require.NoError(t, err)
+	req.Header.Set("User-Agent", UserAgent)
+	req.Header.Set("Content-Type", "application/json")
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusBadRequest, w.Code)
+	assert.Contains(t, w.Body.String(), bodyTooLargeMsg)
+}
+
+// TestBodyLimit_UnauthenticatedUnderLimit sends the same style of request but
+// well under the 2 MiB cap, so the middleware must not fire. We don't care
+// whether registration ultimately succeeds — only that the failure (if any) is
+// not a body-size rejection.
+func TestBodyLimit_UnauthenticatedUnderLimit(t *testing.T) {
+	ctx := t.Context()
+	router, _ := NewAPITest(t, ctx)
+
+	// Valid registration payload, definitely below 2 MiB.
+	body := `{"machine_id":"test","password":"test"}`
+
+	w := httptest.NewRecorder()
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, "/v1/watchers", strings.NewReader(body))
+	require.NoError(t, err)
+	req.Header.Set("User-Agent", UserAgent)
+	req.Header.Set("Content-Type", "application/json")
+	router.ServeHTTP(w, req)
+
+	assert.NotContains(t, w.Body.String(), bodyTooLargeMsg)
+}
+
+// TestBodyLimit_AuthenticatedAboveUnauthCap verifies that an authenticated
+// endpoint accepts bodies larger than the unauthenticated cap. The alert
+// payload here is not semantically valid, so we don't expect 2xx — but the
+// rejection must not come from the body-size middleware.
+func TestBodyLimit_AuthenticatedAboveUnauthCap(t *testing.T) {
+	ctx := t.Context()
+	lapi := SetupLAPITest(t, ctx)
+
+	// Build a payload ~4 MiB: over the unauth 2 MiB cap, well under the 50 MiB
+	// auth cap. Uses the alert-array shape so we get past the JSON top-level
+	// type check and into field validation (which will fail — that's fine).
+	size := int(middlewares.UnauthenticatedBodyLimit) * 2
+	body := `[{"message":"` + strings.Repeat("a", size) + `"}]`
+
+	w := lapi.RecordResponse(t, ctx, http.MethodPost, "/v1/alerts", strings.NewReader(body), passwordAuthType)
+
+	assert.NotContains(t, w.Body.String(), bodyTooLargeMsg)
+}
+
+// TestBodyLimit_AuthenticatedOverLimit posts a payload above the 50 MiB auth
+// cap and asserts the middleware trips.
+func TestBodyLimit_AuthenticatedOverLimit(t *testing.T) {
+	ctx := t.Context()
+	lapi := SetupLAPITest(t, ctx)
+
+	size := int(middlewares.AuthenticatedBodyLimit) + 1024
+	body := `[{"message":"` + strings.Repeat("a", size) + `"}]`
+
+	w := lapi.RecordResponse(t, ctx, http.MethodPost, "/v1/alerts", strings.NewReader(body), passwordAuthType)
+
+	assert.Equal(t, http.StatusBadRequest, w.Code)
+	assert.Contains(t, w.Body.String(), bodyTooLargeMsg)
+}
+
+// TestBodyLimit_GzipDecompressedSize confirms the cap is enforced on the
+// *decompressed* size: a small compressed payload that expands past the
+// unauthenticated cap must be rejected.
+func TestBodyLimit_GzipDecompressedSize(t *testing.T) {
+	ctx := t.Context()
+	router, _ := NewAPITest(t, ctx)
+
+	// Pad a valid-looking JSON doc with a large whitespace run; zeros/spaces
+	// compress to a tiny payload but expand past the 2 MiB cap.
+	decompressed := `{"machine_id":"test","password":"test","_pad":"` +
+		strings.Repeat(" ", int(middlewares.UnauthenticatedBodyLimit)+1024) + `"}`
+
+	var compressed bytes.Buffer
+	gz := gzip.NewWriter(&compressed)
+	_, err := gz.Write([]byte(decompressed))
+	require.NoError(t, err)
+	require.NoError(t, gz.Close())
+	require.Less(t, compressed.Len(), int(middlewares.UnauthenticatedBodyLimit),
+		"compressed body must be under the cap so only the decompressed size can trip it")
+
+	w := httptest.NewRecorder()
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, "/v1/watchers", bytes.NewReader(compressed.Bytes()))
+	require.NoError(t, err)
+	req.Header.Set("User-Agent", UserAgent)
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Content-Encoding", "gzip")
+	router.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusBadRequest, w.Code)
+	assert.Contains(t, w.Body.String(), bodyTooLargeMsg)
+}
+
+// oversizedJSON returns a syntactically-valid JSON object whose raw size is at
+// least `size` bytes, via a long string field.
+func oversizedJSON(t *testing.T, size int) string {
+	t.Helper()
+	return `{"machine_id":"test","password":"test","_pad":"` + strings.Repeat("a", size) + `"}`
+}
diff --git a/pkg/apiserver/controllers/controller.go b/pkg/apiserver/controllers/controller.go
@@ -10,6 +10,7 @@ import (
 	"github.com/gin-gonic/gin"
 
 	v1 "github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1"
+	middlewaresv1 "github.com/crowdsecurity/crowdsec/pkg/apiserver/middlewares/v1"
 	"github.com/crowdsecurity/crowdsec/pkg/csconfig"
 	"github.com/crowdsecurity/crowdsec/pkg/database"
 	"github.com/crowdsecurity/crowdsec/pkg/logging"
@@ -110,13 +111,16 @@ func (c *Controller) NewV1() error {
 		ctx.AbortWithStatus(http.StatusMethodNotAllowed)
 	})
 
+	unauthBodyLimit := middlewaresv1.BodyLimit(middlewaresv1.UnauthenticatedBodyLimit)
+	authBodyLimit := middlewaresv1.BodyLimit(middlewaresv1.AuthenticatedBodyLimit)
+
 	groupV1 := c.Router.Group("/v1")
-	groupV1.POST("/watchers", c.HandlerV1.AbortRemoteIf(c.DisableRemoteLapiRegistration), c.HandlerV1.CreateMachine)
-	groupV1.POST("/watchers/login", c.HandlerV1.Middlewares.JWT.Middleware.LoginHandler)
+	groupV1.POST("/watchers", unauthBodyLimit, c.HandlerV1.AbortRemoteIf(c.DisableRemoteLapiRegistration), c.HandlerV1.CreateMachine)
+	groupV1.POST("/watchers/login", unauthBodyLimit, c.HandlerV1.Middlewares.JWT.Middleware.LoginHandler)
 
 	jwtAuth := groupV1.Group("")
 	jwtAuth.GET("/refresh_token", c.HandlerV1.Middlewares.JWT.Middleware.RefreshHandler)
-	jwtAuth.Use(c.HandlerV1.Middlewares.JWT.Middleware.MiddlewareFunc(), v1.PrometheusMachinesMiddleware)
+	jwtAuth.Use(authBodyLimit, c.HandlerV1.Middlewares.JWT.Middleware.MiddlewareFunc(), v1.PrometheusMachinesMiddleware)
 	{
 		jwtAuth.POST("/alerts", c.HandlerV1.CreateAlert)
 		jwtAuth.GET("/alerts", c.HandlerV1.FindAlerts)
@@ -137,7 +141,7 @@ func (c *Controller) NewV1() error {
 	}
 
 	apiKeyAuth := groupV1.Group("")
-	apiKeyAuth.Use(c.HandlerV1.Middlewares.APIKey.Middleware, v1.PrometheusBouncersMiddleware)
+	apiKeyAuth.Use(authBodyLimit, c.HandlerV1.Middlewares.APIKey.Middleware, v1.PrometheusBouncersMiddleware)
 	{
 		apiKeyAuth.GET("/decisions", c.HandlerV1.GetDecision)
 		apiKeyAuth.HEAD("/decisions", c.HandlerV1.GetDecision)
@@ -146,7 +150,7 @@ func (c *Controller) NewV1() error {
 	}
 
 	eitherAuth := groupV1.Group("")
-	eitherAuth.Use(eitherAuthMiddleware(c.HandlerV1.Middlewares.JWT.Middleware.MiddlewareFunc(), c.HandlerV1.Middlewares.APIKey.Middleware))
+	eitherAuth.Use(authBodyLimit, eitherAuthMiddleware(c.HandlerV1.Middlewares.JWT.Middleware.MiddlewareFunc(), c.HandlerV1.Middlewares.APIKey.Middleware))
 	{
 		eitherAuth.POST("/usage-metrics", c.HandlerV1.UsageMetrics)
 	}
diff --git a/pkg/apiserver/middlewares/v1/body_limit.go b/pkg/apiserver/middlewares/v1/body_limit.go
@@ -0,0 +1,23 @@
+package v1
+
+import (
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+)
+
+// Maximum body size for LAPI queries
+// Applies to the decompressed body if it's gzipped
+const (
+	UnauthenticatedBodyLimit int64 = 2 * 1024 * 1024  // 2 MiB
+	AuthenticatedBodyLimit   int64 = 50 * 1024 * 1024 // 50 MiB
+)
+
+func BodyLimit(max int64) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if c.Request.Body != nil {
+			c.Request.Body = http.MaxBytesReader(c.Writer, c.Request.Body, max)
+		}
+		c.Next()
+	}
+}
