s3tables: add request body size limiting

Add request body size limiting (10MB) to readRequestBody method:
- Define maxRequestBodySize constant to prevent unbounded reads
- Use io.LimitReader to enforce size limit
- Add explicit error handling for oversized requests
- Prevents potential DoS attacks via large request bodies

weed/s3api/s3tables/handler.go

@@ -22,6 +22,9 @@ const (
 	ExtendedKeyMetadata = "s3tables.metadata"
 	ExtendedKeyPolicy   = "s3tables.policy"
 	ExtendedKeyTags     = "s3tables.tags"
+
+	// Maximum request body size (10MB)
+	maxRequestBodySize = 10 * 1024 * 1024
 )
 
 var (
@@ -178,11 +181,19 @@ func (h *S3TablesHandler) getAccountID(r *http.Request) string {
 
 func (h *S3TablesHandler) readRequestBody(r *http.Request, v interface{}) error {
 	defer r.Body.Close()
-	body, err := io.ReadAll(r.Body)
+
+	// Limit request body size to prevent unbounded reads
+	limitedReader := io.LimitReader(r.Body, maxRequestBodySize+1)
+	body, err := io.ReadAll(limitedReader)
 	if err != nil {
 		return fmt.Errorf("failed to read request body: %w", err)
 	}
 
+	// Check if body exceeds size limit
+	if len(body) > maxRequestBodySize {
+		return fmt.Errorf("request body too large: exceeds maximum size of %d bytes", maxRequestBodySize)
+	}
+
 	if len(body) == 0 {
 		return nil
 	}