From 69aa0c6cc43ae42d1dcafefe0f870b167a7277b9 Mon Sep 17 00:00:00 2001
From: Bogdan Artemenko <artemenkobogdan@gmail.com>
Date: Fri, 20 Sep 2019 20:40:26 +0300
Subject: [PATCH] satellite/console: GraphQL input length limitation. (#3045)

---
 satellite/console/consoleweb/server.go |  5 +++--
 satellite/console/consoleweb/utils.go  | 19 ++++++++++++-------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/satellite/console/consoleweb/server.go b/satellite/console/consoleweb/server.go
index c8d0582a3..f2d799d1b 100644
--- a/satellite/console/consoleweb/server.go
+++ b/satellite/console/consoleweb/server.go
@@ -122,7 +122,8 @@ func NewServer(logger *zap.Logger, config Config, service *console.Service, mail
 	}
 
 	server.server = http.Server{
-		Handler: mux,
+		Handler:        mux,
+		MaxHeaderBytes: ContentLengthLimit.Int(),
 	}
 
 	return &server
@@ -393,7 +394,7 @@ func (server *Server) grapqlHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set(contentType, applicationJSON)
 
 	token := getToken(r)
-	query, err := getQuery(r)
+	query, err := getQuery(w, r)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
diff --git a/satellite/console/consoleweb/utils.go b/satellite/console/consoleweb/utils.go
index 2f314df8a..e3ee426a8 100644
--- a/satellite/console/consoleweb/utils.go
+++ b/satellite/console/consoleweb/utils.go
@@ -12,9 +12,13 @@ import (
 
 	"github.com/zeebo/errs"
 
+	"storj.io/storj/internal/memory"
 	"storj.io/storj/satellite/console/consoleweb/consoleql"
 )
 
+// ContentLengthLimit describes 4KB limit
+const ContentLengthLimit = 4 * memory.KB
+
 func init() {
 	err := mime.AddExtensionType(".ttf", "font/ttf")
 	if err != nil {
@@ -49,28 +53,29 @@ func getToken(req *http.Request) string {
 }
 
 // getQuery retrieves graphql query from request
-func getQuery(req *http.Request) (query graphqlJSON, err error) {
+func getQuery(w http.ResponseWriter, req *http.Request) (query graphqlJSON, err error) {
 	switch req.Method {
 	case http.MethodGet:
 		query.Query = req.URL.Query().Get(consoleql.Query)
 		return query, nil
 	case http.MethodPost:
-		return queryPOST(req)
+		return queryPOST(w, req)
 	default:
 		return query, errs.New("wrong http request type")
 	}
 }
 
 // queryPOST retrieves graphql query from POST request
-func queryPOST(req *http.Request) (query graphqlJSON, err error) {
+func queryPOST(w http.ResponseWriter, req *http.Request) (query graphqlJSON, err error) {
+	limitedReader := http.MaxBytesReader(w, req.Body, ContentLengthLimit.Int64())
 	switch typ := req.Header.Get(contentType); typ {
 	case applicationGraphql:
-		body, err := ioutil.ReadAll(req.Body)
+		body, err := ioutil.ReadAll(limitedReader)
 		query.Query = string(body)
-		return query, errs.Combine(err, req.Body.Close())
+		return query, errs.Combine(err, limitedReader.Close())
 	case applicationJSON:
-		err := json.NewDecoder(req.Body).Decode(&query)
-		return query, errs.Combine(err, req.Body.Close())
+		err := json.NewDecoder(limitedReader).Decode(&query)
+		return query, errs.Combine(err, limitedReader.Close())
 	default:
 		return query, errs.New("can't parse request body of type %s", typ)
 	}