fix: audit issues (#3797)

ory · Mar 4, 2024 · 7017490
1 parent e6db689
commit 7017490
Show file tree

Hide file tree

Showing 16 changed files with 123 additions and 118 deletions.
diff --git a/.schema/openapi/templates/go/api.mustache b/.schema/openapi/templates/go/api.mustache
@@ -321,7 +321,7 @@ func (a *{{{classname}}}Service) {{nickname}}Execute(r {{#structPrefix}}{{&class
 		return {{#returnType}}localVarReturnValue, {{/returnType}}localVarHTTPResponse, err
 	}
 
-	localVarBody, err := io.ReadAll(localVarHTTPResponse.Body)
+	localVarBody, err := io.ReadAll(io.LimitReader(localVarHTTPResponse.Body, 1024*1024))
 	localVarHTTPResponse.Body.Close()
 	localVarHTTPResponse.Body = io.NopCloser(bytes.NewBuffer(localVarBody))
 	if err != nil {

diff --git a/cmd/daemon/serve.go b/cmd/daemon/serve.go
@@ -116,7 +116,7 @@ func servePublic(r driver.Registry, cmd *cobra.Command, eg *errgroup.Group, slOp
 
 	n.UseFunc(x.CleanPath) // Prevent double slashes from breaking CSRF.
 	r.WithCSRFHandler(csrf)
-	n.UseHandler(r.CSRFHandler())
+	n.UseHandler(http.MaxBytesHandler(r.CSRFHandler(), 5*1024*1024 /* 5 MB */))
 
 	// Disable CSRF for these endpoints
 	csrf.DisablePath(healthx.AliveCheckPath)
@@ -199,7 +199,7 @@ func serveAdmin(r driver.Registry, cmd *cobra.Command, eg *errgroup.Group, slOpt
 	r.RegisterAdminRoutes(ctx, router)
 	r.PrometheusManager().RegisterRouter(router.Router)
 
-	n.UseHandler(router)
+	n.UseHandler(http.MaxBytesHandler(router, 5*1024*1024 /* 5 MB */))
 	certs := c.GetTLSCertificatesForAdmin(ctx)
 
 	var handler http.Handler = n

diff --git a/courier/smtp.go b/courier/smtp.go
@@ -66,6 +66,13 @@ func NewSMTPClient(deps Dependencies, cfg *config.SMTPConfig) (*SMTPClient, erro
 		serverName = uri.Hostname()
 	}
 
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: sslSkipVerify, //#nosec G402 -- This is ok (and required!) because it is configurable and disabled by default.
+		Certificates:       tlsCertificates,
+		ServerName:         serverName,
+		MinVersion:         tls.VersionTLS12,
+	}
+
 	// SMTP schemes
 	// smtp: smtp clear text (with uri parameter) or with StartTLS (enforced by default)
 	// smtps: smtp with implicit TLS (recommended way in 2021 to avoid StartTLS downgrade attacks
@@ -75,14 +82,12 @@ func NewSMTPClient(deps Dependencies, cfg *config.SMTPConfig) (*SMTPClient, erro
 		// Enforcing StartTLS by default for security best practices (config review, etc.)
 		skipStartTLS, _ := strconv.ParseBool(uri.Query().Get("disable_starttls"))
 		if !skipStartTLS {
-			//#nosec G402 -- This is ok (and required!) because it is configurable and disabled by default.
-			dialer.TLSConfig = &tls.Config{InsecureSkipVerify: sslSkipVerify, Certificates: tlsCertificates, ServerName: serverName}
+			dialer.TLSConfig = tlsConfig
 			// Enforcing StartTLS
 			dialer.StartTLSPolicy = gomail.MandatoryStartTLS
 		}
 	case "smtps":
-		//#nosec G402 -- This is ok (and required!) because it is configurable and disabled by default.
-		dialer.TLSConfig = &tls.Config{InsecureSkipVerify: sslSkipVerify, Certificates: tlsCertificates, ServerName: serverName}
+		dialer.TLSConfig = tlsConfig
 		dialer.SSL = true
 	}