fix: reject requests with very long URIs

Some parts of the application may be vulnerable to very long URIs being passed. E.g. Auth will try to save URI to session cookie, and it will fails, which will result in 500 error Changelog: fixed
author: Vladimir Shushlin <v.shushlin@gmail.com> 2021-11-10 18:38:22 +0300
committer: Vladimir Shushlin <v.shushlin@gmail.com> 2021-11-11 11:42:42 +0300
commit: bf9c79a5477b61f375be659e2e16f377067d9c00 (patch)
tree: fbd7c2ceece4af9fc87e45c43679a725015e7588 /app.go
parent: aa897ce9849d35cd7ff1121351f1033e91d0c062 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/app.go b/app.go
index cddf8d49..3f286033 100644
--- a/app.go
+++ b/app.go
@@ -39,6 +39,7 @@ import (
 	"gitlab.com/gitlab-org/gitlab-pages/internal/serving/disk/zip"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/source"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/source/gitlab"
+	"gitlab.com/gitlab-org/gitlab-pages/internal/urilimiter"
 	"gitlab.com/gitlab-org/gitlab-pages/metrics"
 )
 
@@ -292,10 +293,10 @@ func (a *theApp) buildHandlerPipeline() (http.Handler, error) {
 	handler = handlePanicMiddleware(handler)
 	handler = correlation.InjectCorrelationID(handler, correlationOpts...)
 
-	// This MUST be the last handler!
-	// This handler blocks unknown HTTP methods,
-	// being the last means it will be evaluated first
+	// These middlewares MUST be added in the end.
+	// Being last means they will be evaluated first
 	// preventing any operation on bogus requests.
+	handler = urilimiter.NewMiddleware(handler, a.config.General.MaxURILength)
 	handler = rejectmethods.NewMiddleware(handler)
 
 	return handler, nil
author	Vladimir Shushlin <v.shushlin@gmail.com>	2021-11-10 18:38:22 +0300
committer	Vladimir Shushlin <v.shushlin@gmail.com>	2021-11-11 11:42:42 +0300
commit	bf9c79a5477b61f375be659e2e16f377067d9c00 (patch)
tree	fbd7c2ceece4af9fc87e45c43679a725015e7588 /app.go
parent	aa897ce9849d35cd7ff1121351f1033e91d0c062 (diff)