From 73876c8fc924349ffb5228797030ad349154852b Mon Sep 17 00:00:00 2001
From: Till Faelligen <tfaelligen@gmail.com>
Date: Fri, 23 Apr 2021 23:20:17 +0200
Subject: [PATCH] Use LimitReader to prevent DoS risk

Signed-off-by: Till Faelligen <tfaelligen@gmail.com>
---
 mediaapi/routing/upload.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mediaapi/routing/upload.go b/mediaapi/routing/upload.go
index f1dd231df..2c5d92525 100644
--- a/mediaapi/routing/upload.go
+++ b/mediaapi/routing/upload.go
@@ -147,7 +147,8 @@ func (r *uploadRequest) doUpload(
 	//   r.storeFileAndMetadata(ctx, tmpDir, ...)
 	// before you return from doUpload else we will leak a temp file. We could make this nicer with a `WithTransaction` style of
 	// nested function to guarantee either storage or cleanup.
-	hash, bytesWritten, tmpDir, err := fileutils.WriteTempFile(ctx, reqReader, cfg.AbsBasePath)
+	lr := io.LimitReader(reqReader, int64(*cfg.MaxFileSizeBytes))
+	hash, bytesWritten, tmpDir, err := fileutils.WriteTempFile(ctx, lr, cfg.AbsBasePath)
 	if err != nil {
 		r.Logger.WithError(err).WithFields(log.Fields{
 			"MaxFileSizeBytes": *cfg.MaxFileSizeBytes,