Skip to content

Add request body size limits to plugin HTTP endpoints #464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nevyangelova merged 3 commits into from
Apr 1, 2026
Merged

Add request body size limits to plugin HTTP endpoints #464

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7b96b9b
Add request body size limits to plugin HTTP endpoints
Apr 1, 2026
0a08a97
update test
Apr 1, 2026
996fc45
Remove unused maxWebhookBodySize constant
Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions server/http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
)

const (
maxRequestBodySize = 1 << 20 // 1 MB
defaultMeetingTopic = "Zoom Meeting"
zoomOAuthUserStateLength = 4
settingDataError = "something went wrong while getting settings data"
Expand Down Expand Up @@ -81,6 +82,8 @@ func (p *Plugin) ServeHTTP(c *plugin.Context, w http.ResponseWriter, r *http.Req
return
}

r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize)

switch path := r.URL.Path; path {
case pathWebhook:
p.handleWebhook(w, r)
Expand Down
7 changes: 3 additions & 4 deletions server/webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,7 @@ import (
)

const bearerString = "Bearer "
const maxWebhookBodySize = 1 << 20 // 1MB
const maxDownloadSize = 10 << 20 // 10MB
const maxDownloadSize = 10 << 20 // 10MB

func (p *Plugin) handleWebhook(w http.ResponseWriter, r *http.Request) {
if !p.verifyMattermostWebhookSecret(r) {
Expand All @@ -42,13 +41,13 @@ func (p *Plugin) handleWebhook(w http.ResponseWriter, r *http.Request) {
return
}

b, err := io.ReadAll(io.LimitReader(r.Body, maxWebhookBodySize+1))
b, err := io.ReadAll(io.LimitReader(r.Body, maxRequestBodySize+1))
if err != nil {
p.API.LogWarn("Cannot read body from Webhook")
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if int64(len(b)) > maxWebhookBodySize {
if int64(len(b)) > maxRequestBodySize {
p.API.LogWarn("Webhook request body too large")
http.Error(w, "Request body too large", http.StatusRequestEntityTooLarge)
return
Expand Down
33 changes: 30 additions & 3 deletions server/webhook_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -392,10 +392,10 @@ func TestWebhookBodyTooLarge(t *testing.T) {
p.setConfiguration(testConfig)

api.On("GetLicense").Return(nil)
api.On("LogWarn", "Webhook request body too large")
api.On("LogWarn", "Cannot read body from Webhook")
p.SetAPI(api)

largeBody := make([]byte, maxWebhookBodySize+100)
largeBody := make([]byte, maxRequestBodySize+100)
Copy link
Copy Markdown
Contributor

@avasconcelos114 avasconcelos114 Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that the webhook payload test has been updated to reference maxRequestBodySize instead of maxWebhookBodySize, so we might want to remove maxWebhookBodySize from webhook.go entirely to solely use this new constant in https://github.com/mattermost/mattermost-plugin-zoom/pull/446/changes#diff-e3302fa7fe65284d10a8f46bad75c6e182a9b39a0400fb09f888d0dde5a79bf9R42

Copy link
Copy Markdown

@edgarbellot edgarbellot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to this, the rest looks good to me :)

for i := range largeBody {
largeBody[i] = 'a'
}
Expand All @@ -407,7 +407,34 @@ func TestWebhookBodyTooLarge(t *testing.T) {

p.ServeHTTP(&plugin.Context{}, w, request)

require.Equal(t, 413, w.Result().StatusCode)
result := w.Result()
defer result.Body.Close()
require.True(t, result.StatusCode == http.StatusBadRequest || result.StatusCode == http.StatusRequestEntityTooLarge)
}

func TestDeauthorizationBodyTooLarge(t *testing.T) {
api := &plugintest.API{}
p := Plugin{}
p.setConfiguration(testConfig)

api.On("GetLicense").Return(nil)
p.SetAPI(api)

largeBody := make([]byte, maxRequestBodySize+100)
for i := range largeBody {
largeBody[i] = 'a'
}

w := httptest.NewRecorder()
reqBody := io.NopCloser(bytes.NewReader(largeBody))
request := httptest.NewRequest("POST", "/deauthorization?secret=webhooksecret", reqBody)
request.Header.Add("Content-Type", "application/json")

p.ServeHTTP(&plugin.Context{}, w, request)

result := w.Result()
defer result.Body.Close()
require.True(t, result.StatusCode == http.StatusBadRequest || result.StatusCode == http.StatusRequestEntityTooLarge)
}

func TestWebhookHandleTranscriptCompleted(t *testing.T) {
Expand Down
Loading