nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Webhooks: clean up request body guards

This commit is contained in:
Vincent Koc 2026-03-14 23:20:16 -07:00
parent 0ba757fc41
commit 35436c979e
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
extensions/mattermost/src/mattermost/slash-http.ts
View File

@ -209,8 +209,6 @@ async function authorizeSlashInvocation(params: {
export function createSlashCommandHttpHandler(params: SlashHttpHandlerParams) { export function createSlashCommandHttpHandler(params: SlashHttpHandlerParams) {
const { account, cfg, runtime, commandTokens, triggerMap, log } = params; const { account, cfg, runtime, commandTokens, triggerMap, log } = params;
const MAX_BODY_BYTES = 64 * 1024; // 64KB
return async (req: IncomingMessage, res: ServerResponse): Promise<void> => { return async (req: IncomingMessage, res: ServerResponse): Promise<void> => {
if (req.method !== "POST") { if (req.method !== "POST") {
res.statusCode = 405; res.statusCode = 405;

2
extensions/nextcloud-talk/src/monitor.ts
View File

@ -173,6 +173,8 @@ export function readNextcloudTalkWebhookBody(
maxBodyBytes: number, maxBodyBytes: number,
): Promise<string> { ): Promise<string> {
return readRequestBodyWithLimit(req, { return readRequestBodyWithLimit(req, {
// This read happens before signature verification, so keep the unauthenticated
// body budget bounded even if the operator-configured post-parse limit is larger.
maxBytes: Math.min(maxBodyBytes, PREAUTH_WEBHOOK_MAX_BODY_BYTES), maxBytes: Math.min(maxBodyBytes, PREAUTH_WEBHOOK_MAX_BODY_BYTES),
timeoutMs: PREAUTH_WEBHOOK_BODY_TIMEOUT_MS, timeoutMs: PREAUTH_WEBHOOK_BODY_TIMEOUT_MS,
}); });