From 7b96b9bc5721a2cd564592647bafb11425742ccf Mon Sep 17 00:00:00 2001 From: Nevyana Angelova Date: Wed, 1 Apr 2026 17:24:15 +0300 Subject: [PATCH 1/3] Add request body size limits to plugin HTTP endpoints --- server/http.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/server/http.go b/server/http.go index 41896a88..eae76042 100644 --- a/server/http.go +++ b/server/http.go @@ -22,6 +22,7 @@ import ( ) const ( + maxRequestBodySize = 1 << 20 // 1 MB defaultMeetingTopic = "Zoom Meeting" zoomOAuthUserStateLength = 4 settingDataError = "something went wrong while getting settings data" @@ -81,6 +82,8 @@ func (p *Plugin) ServeHTTP(c *plugin.Context, w http.ResponseWriter, r *http.Req return } + r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize) + switch path := r.URL.Path; path { case pathWebhook: p.handleWebhook(w, r) From 0a08a97a79e856a3c9e14afa74b268518424f3ab Mon Sep 17 00:00:00 2001 From: Nevyana Angelova Date: Wed, 1 Apr 2026 17:26:15 +0300 Subject: [PATCH 2/3] update test --- server/webhook_test.go | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/server/webhook_test.go b/server/webhook_test.go index f440b6ce..d55d7879 100644 --- a/server/webhook_test.go +++ b/server/webhook_test.go @@ -392,10 +392,10 @@ func TestWebhookBodyTooLarge(t *testing.T) { p.setConfiguration(testConfig) api.On("GetLicense").Return(nil) - api.On("LogWarn", "Webhook request body too large") + api.On("LogWarn", "Cannot read body from Webhook") p.SetAPI(api) - largeBody := make([]byte, maxWebhookBodySize+100) + largeBody := make([]byte, maxRequestBodySize+100) for i := range largeBody { largeBody[i] = 'a' } @@ -407,7 +407,34 @@ func TestWebhookBodyTooLarge(t *testing.T) { p.ServeHTTP(&plugin.Context{}, w, request) - require.Equal(t, 413, w.Result().StatusCode) + result := w.Result() + defer result.Body.Close() + require.True(t, result.StatusCode == http.StatusBadRequest || result.StatusCode == http.StatusRequestEntityTooLarge) +} + +func TestDeauthorizationBodyTooLarge(t *testing.T) { + api := &plugintest.API{} + p := Plugin{} + p.setConfiguration(testConfig) + + api.On("GetLicense").Return(nil) + p.SetAPI(api) + + largeBody := make([]byte, maxRequestBodySize+100) + for i := range largeBody { + largeBody[i] = 'a' + } + + w := httptest.NewRecorder() + reqBody := io.NopCloser(bytes.NewReader(largeBody)) + request := httptest.NewRequest("POST", "/deauthorization?secret=webhooksecret", reqBody) + request.Header.Add("Content-Type", "application/json") + + p.ServeHTTP(&plugin.Context{}, w, request) + + result := w.Result() + defer result.Body.Close() + require.True(t, result.StatusCode == http.StatusBadRequest || result.StatusCode == http.StatusRequestEntityTooLarge) } func TestWebhookHandleTranscriptCompleted(t *testing.T) { From 996fc455d5ffc2f0935521100763760a1829c85e Mon Sep 17 00:00:00 2001 From: Nevyana Angelova Date: Wed, 1 Apr 2026 21:53:48 +0300 Subject: [PATCH 3/3] Remove unused maxWebhookBodySize constant Made-with: Cursor --- server/webhook.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/server/webhook.go b/server/webhook.go index e26a6c63..54020210 100644 --- a/server/webhook.go +++ b/server/webhook.go @@ -25,8 +25,7 @@ import ( ) const bearerString = "Bearer " -const maxWebhookBodySize = 1 << 20 // 1MB -const maxDownloadSize = 10 << 20 // 10MB +const maxDownloadSize = 10 << 20 // 10MB func (p *Plugin) handleWebhook(w http.ResponseWriter, r *http.Request) { if !p.verifyMattermostWebhookSecret(r) { @@ -42,13 +41,13 @@ func (p *Plugin) handleWebhook(w http.ResponseWriter, r *http.Request) { return } - b, err := io.ReadAll(io.LimitReader(r.Body, maxWebhookBodySize+1)) + b, err := io.ReadAll(io.LimitReader(r.Body, maxRequestBodySize+1)) if err != nil { p.API.LogWarn("Cannot read body from Webhook") http.Error(w, err.Error(), http.StatusBadRequest) return } - if int64(len(b)) > maxWebhookBodySize { + if int64(len(b)) > maxRequestBodySize { p.API.LogWarn("Webhook request body too large") http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge) return