diff --git a/bdns/dns.go b/bdns/dns.go index bb147bb2d32..e00e0432309 100644 --- a/bdns/dns.go +++ b/bdns/dns.go @@ -379,7 +379,7 @@ func (d *dohExchanger) ExchangeContext(ctx context.Context, query *dns.Msg, serv return nil, d.clk.Since(start), fmt.Errorf("doh: http status %d", resp.StatusCode) } - b, err := io.ReadAll(resp.Body) + b, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 300_000}) if err != nil { return nil, d.clk.Since(start), fmt.Errorf("doh: reading response body: %w", err) } diff --git a/cmd/crl-checker/main.go b/cmd/crl-checker/main.go index c3398caec2c..4117590ae35 100644 --- a/cmd/crl-checker/main.go +++ b/cmd/crl-checker/main.go @@ -32,7 +32,7 @@ func downloadShard(url string) (*x509.RevocationList, error) { return nil, fmt.Errorf("downloading crl: http status %d", resp.StatusCode) } - crlBytes, err := io.ReadAll(resp.Body) + crlBytes, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 1_000_000_000}) if err != nil { return nil, fmt.Errorf("reading CRL bytes: %w", err) } diff --git a/cmd/shell.go b/cmd/shell.go index 0cfa6fff2df..cb8df16c50d 100644 --- a/cmd/shell.go +++ b/cmd/shell.go @@ -511,7 +511,7 @@ func ValidateYAMLConfig(cv *ConfigValidator, in io.Reader) error { // Register custom types for use with existing validation tags. validate.RegisterCustomTypeFunc(config.DurationCustomTypeFunc, config.Duration{}) - inBytes, err := io.ReadAll(in) + inBytes, err := io.ReadAll(&io.LimitedReader{R: in, N: 300_000}) if err != nil { return err } diff --git a/crl/storer/storer.go b/crl/storer/storer.go index 6455d77bdf9..f73f3b3897a 100644 --- a/crl/storer/storer.go +++ b/crl/storer/storer.go @@ -181,7 +181,7 @@ func (cs *crlStorer) UploadCRL(stream grpc.ClientStreamingServer[cspb.UploadCRLR cs.log.Info(ctx, "Proceeding because no previous CRL found") } else { defer prevObj.Body.Close() - prevBytes, err := io.ReadAll(prevObj.Body) + prevBytes, err := io.ReadAll(&io.LimitedReader{R: prevObj.Body, N: 1_000_000_000}) if err != nil { return fmt.Errorf("downloading previous CRL for %s: %w", crlId, err) } diff --git a/linter/pkimetal/client.go b/linter/pkimetal/client.go index 4637e6a56f2..4ed0a0e4e6c 100644 --- a/linter/pkimetal/client.go +++ b/linter/pkimetal/client.go @@ -80,7 +80,7 @@ func (pkim *Client) Execute(endpoint string, der []byte) (*lint.LintResult, erro return nil, fmt.Errorf("got status %d (%s) from pkimetal API", resp.StatusCode, resp.Status) } - resJSON, err := io.ReadAll(resp.Body) + resJSON, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 300_000}) if err != nil { return nil, fmt.Errorf("reading response from pkimetal API: %s", err) } diff --git a/observer/probers/aia/aia.go b/observer/probers/aia/aia.go index c6c90ed6db5..c61e3d77d61 100644 --- a/observer/probers/aia/aia.go +++ b/observer/probers/aia/aia.go @@ -48,7 +48,7 @@ func (p AIAProbe) Probe(ctx context.Context) error { return fmt.Errorf("certificate Content-Type is %q but want application/pkix-cert", contentType) } - body, err := io.ReadAll(resp.Body) + body, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 300_000}) if err != nil { return err } diff --git a/observer/probers/ccadb/retryhttp.go b/observer/probers/ccadb/retryhttp.go index 2bacbfe2def..7484ded6993 100644 --- a/observer/probers/ccadb/retryhttp.go +++ b/observer/probers/ccadb/retryhttp.go @@ -21,7 +21,7 @@ func getBody(ctx context.Context, url string) ([]byte, error) { } defer resp.Body.Close() - body, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 100_000_000}) + body, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 1_000_000_000}) if err != nil { return nil, err } diff --git a/observer/probers/crl/crl.go b/observer/probers/crl/crl.go index 80e8d6f7982..4111f6b7a7c 100644 --- a/observer/probers/crl/crl.go +++ b/observer/probers/crl/crl.go @@ -47,7 +47,7 @@ func (p CRLProbe) Probe(ctx context.Context) error { } defer resp.Body.Close() - body, err := io.ReadAll(resp.Body) + body, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 1_000_000_000}) if err != nil { return err } diff --git a/observer/probers/tls/tls.go b/observer/probers/tls/tls.go index 7b3885a0530..c718fbe28b6 100644 --- a/observer/probers/tls/tls.go +++ b/observer/probers/tls/tls.go @@ -85,7 +85,7 @@ func checkOCSP(ctx context.Context, cert, issuer *x509.Certificate, want int) (b } defer res.Body.Close() - output, err := io.ReadAll(res.Body) + output, err := io.ReadAll(&io.LimitedReader{R: res.Body, N: 300_000}) if err != nil { return false, err } @@ -114,7 +114,7 @@ func checkCRL(ctx context.Context, cert, issuer *x509.Certificate, want int) (bo } defer resp.Body.Close() - der, err := io.ReadAll(resp.Body) + der, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 1_000_000_000}) if err != nil { return false, fmt.Errorf("reading CRL: %w", err) } diff --git a/salesforce/pardot.go b/salesforce/pardot.go index f3852ef3475..e24ce32ff14 100644 --- a/salesforce/pardot.go +++ b/salesforce/pardot.go @@ -11,6 +11,7 @@ import ( "time" "github.com/jmhodges/clock" + "github.com/letsencrypt/boulder/core" ) @@ -117,7 +118,7 @@ func (pc *SalesforceClientImpl) updateToken() error { defer resp.Body.Close() if resp.StatusCode != http.StatusOK { - body, readErr := io.ReadAll(resp.Body) + body, readErr := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 300_000}) if readErr != nil { return fmt.Errorf("token request failed with status %d; while reading body: %w", resp.StatusCode, readErr) } @@ -202,7 +203,7 @@ func (pc *SalesforceClientImpl) SendContact(email string) error { return nil } - body, err := io.ReadAll(resp.Body) + body, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 300_000}) resp.Body.Close() if err != nil { diff --git a/sfe/zendesk/zendesk.go b/sfe/zendesk/zendesk.go index e67a2309157..46d0c5bc02a 100644 --- a/sfe/zendesk/zendesk.go +++ b/sfe/zendesk/zendesk.go @@ -177,7 +177,7 @@ func (c *Client) doJSONRequest(method, reqURL string, body []byte) ([]byte, erro } defer resp.Body.Close() - respBody, err := io.ReadAll(resp.Body) + respBody, err := io.ReadAll(&io.LimitedReader{R: resp.Body, N: 300_000}) if err != nil { return nil, fmt.Errorf("failed to read zendesk response body: %w", err) }