fix unbounded memory consumption vulnerability (#111)

helenamariano · web-flow · commit 42bcff666855 · 2022-07-18T15:47:08.000+10:00
Co-authored-by: Helena Mariano &lt;31138349+helenamariano@users.noreply.github.com&gt;
diff --git a/docx.go b/docx.go
@@ -40,7 +40,7 @@ func ConvertDocx(r io.Reader) (string, map[string]string, error) {
 		size = si.Size()
 		ra = f
 	} else {
-		b, err := ioutil.ReadAll(r)
+		b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
 		if err != nil {
 			return "", nil, nil
 		}
diff --git a/limit.go b/limit.go
@@ -0,0 +1,3 @@
+package docconv
+
+const maxBytes = 20 << 20 // 20MB
diff --git a/odt.go b/odt.go
@@ -14,7 +14,7 @@ func ConvertODT(r io.Reader) (string, map[string]string, error) {
 	meta := make(map[string]string)
 	var textBody string
 
-	b, err := ioutil.ReadAll(r)
+	b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
 	if err != nil {
 		return "", nil, err
 	}
diff --git a/pages.go b/pages.go
@@ -21,7 +21,7 @@ func ConvertPages(r io.Reader) (string, map[string]string, error) {
 	meta := make(map[string]string)
 	var textBody string
 
-	b, err := ioutil.ReadAll(r)
+	b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
 	if err != nil {
 		return "", nil, fmt.Errorf("error reading data: %v", err)
 	}
diff --git a/xml.go b/xml.go
@@ -25,7 +25,7 @@ func ConvertXML(r io.Reader) (string, map[string]string, error) {
 func XMLToText(r io.Reader, breaks []string, skip []string, strict bool) (string, error) {
 	var result string
 
-	dec := xml.NewDecoder(r)
+	dec := xml.NewDecoder(io.LimitReader(r, maxBytes))
 	dec.Strict = strict
 	for {
 		t, err := dec.Token()
@@ -76,7 +76,7 @@ func XMLToText(r io.Reader, breaks []string, skip []string, strict bool) (string
 // XMLToMap converts XML to a nested string map.
 func XMLToMap(r io.Reader) (map[string]string, error) {
 	m := make(map[string]string)
-	dec := xml.NewDecoder(r)
+	dec := xml.NewDecoder(io.LimitReader(r, maxBytes))
 	var tagName string
 	for {
 		t, err := dec.Token()

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func ConvertDocx(r io.Reader) (string, map[string]string, error) {`
`40`	`40`	`size = si.Size()`
`41`	`41`	`ra = f`
`42`	`42`	`} else {`
`43`		`- b, err := ioutil.ReadAll(r)`
	`43`	`+ b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))`
`44`	`44`	`if err != nil {`
`45`	`45`	`return "", nil, nil`
`46`	`46`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+package docconv`
	`2`	`+`
	`3`	`+const maxBytes = 20 << 20 // 20MB`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ func ConvertODT(r io.Reader) (string, map[string]string, error) {`
`14`	`14`	`meta := make(map[string]string)`
`15`	`15`	`var textBody string`
`16`	`16`
`17`		`- b, err := ioutil.ReadAll(r)`
	`17`	`+ b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))`
`18`	`18`	`if err != nil {`
`19`	`19`	`return "", nil, err`
`20`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ func ConvertPages(r io.Reader) (string, map[string]string, error) {`
`21`	`21`	`meta := make(map[string]string)`
`22`	`22`	`var textBody string`
`23`	`23`
`24`		`- b, err := ioutil.ReadAll(r)`
	`24`	`+ b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))`
`25`	`25`	`if err != nil {`
`26`	`26`	`return "", nil, fmt.Errorf("error reading data: %v", err)`
`27`	`27`	`}`