From e862888d2da85d83324d018aa334f078619e4e47 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Wed, 28 Jan 2026 14:54:45 -0800
Subject: [PATCH] s3tables: add request body size limiting

Add request body size limiting (10MB) to readRequestBody method:
- Define maxRequestBodySize constant to prevent unbounded reads
- Use io.LimitReader to enforce size limit
- Add explicit error handling for oversized requests
- Prevents potential DoS attacks via large request bodies
---
 weed/s3api/s3tables/handler.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/weed/s3api/s3tables/handler.go b/weed/s3api/s3tables/handler.go
index 0ff7a3099..088351d3b 100644
--- a/weed/s3api/s3tables/handler.go
+++ b/weed/s3api/s3tables/handler.go
@@ -22,6 +22,9 @@ const (
 	ExtendedKeyMetadata = "s3tables.metadata"
 	ExtendedKeyPolicy   = "s3tables.policy"
 	ExtendedKeyTags     = "s3tables.tags"
+
+	// Maximum request body size (10MB)
+	maxRequestBodySize = 10 * 1024 * 1024
 )
 
 var (
@@ -178,11 +181,19 @@ func (h *S3TablesHandler) getAccountID(r *http.Request) string {
 
 func (h *S3TablesHandler) readRequestBody(r *http.Request, v interface{}) error {
 	defer r.Body.Close()
-	body, err := io.ReadAll(r.Body)
+
+	// Limit request body size to prevent unbounded reads
+	limitedReader := io.LimitReader(r.Body, maxRequestBodySize+1)
+	body, err := io.ReadAll(limitedReader)
 	if err != nil {
 		return fmt.Errorf("failed to read request body: %w", err)
 	}
 
+	// Check if body exceeds size limit
+	if len(body) > maxRequestBodySize {
+		return fmt.Errorf("request body too large: exceeds maximum size of %d bytes", maxRequestBodySize)
+	}
+
 	if len(body) == 0 {
 		return nil
 	}