gateway: limit requests to a predefined max size

internal/services/gateway/gateway.go

@@ -44,6 +44,10 @@ var level = zap.NewAtomicLevelAt(zapcore.InfoLevel)
 var logger = slog.New(level)
 var log = logger.Sugar()
 
+const (
+	maxRequestSize = 1024 * 1024
+)
+
 type Gateway struct {
 	c *config.Gateway
 
@@ -269,8 +273,10 @@ func (g *Gateway) Run(ctx context.Context) error {
 	router.Handle("/webhooks", webhooksHandler).Methods("POST")
 	router.PathPrefix("/").HandlerFunc(handlers.NewWebBundleHandlerFunc(g.c.APIExposedURL))
 
+	maxBytesHandler := handlers.NewMaxBytesHandler(router, 1024*1024)
+
 	mainrouter := mux.NewRouter()
-	mainrouter.PathPrefix("/").Handler(corsHandler(router))
+	mainrouter.PathPrefix("/").Handler(corsHandler(maxBytesHandler))
 
 	var tlsConfig *tls.Config
 	if g.c.Web.TLS {

internal/services/gateway/handlers/maxbyte.go

@@ -0,0 +1,38 @@
+// Copyright 2019 Sorint.lab
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package handlers
+
+import "net/http"
+
+type maxBytesHandler struct {
+	h http.Handler
+	n int64
+}
+
+func NewMaxBytesHandler(h http.Handler, n int64) *maxBytesHandler {
+	return &maxBytesHandler{
+		h: h,
+		n: n,
+	}
+}
+
+func (h *maxBytesHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.ContentLength > h.n {
+		http.Error(w, "request too large", http.StatusExpectationFailed)
+		return
+	}
+	r.Body = http.MaxBytesReader(w, r.Body, h.n)
+	h.h.ServeHTTP(w, r)
+}