From 8990f5afb7cd61eb580f4d9edaec5ed1eb408d45 Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Thu, 23 Apr 2026 13:26:03 +0200
Subject: [PATCH] fix: cap decompressed request body side to prevent DoS

---
 internal/middleware/compression.go | 52 ++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 17 deletions(-)

diff --git a/internal/middleware/compression.go b/internal/middleware/compression.go
index 71465b0..b7a14c0 100644
--- a/internal/middleware/compression.go
+++ b/internal/middleware/compression.go
@@ -150,23 +150,7 @@ func shouldCompressResponse(contentType string, config *CompressionConfig) bool
 }
 
 func DecompressionMiddleware() func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.Header.Get("Content-Encoding") == "gzip" {
-				gz, err := gzip.NewReader(r.Body)
-				if err != nil {
-					http.Error(w, "Invalid gzip encoding", http.StatusBadRequest)
-					return
-				}
-				defer gz.Close()
-
-				r.Body = io.NopCloser(gz)
-				r.Header.Del("Content-Encoding")
-			}
-
-			next.ServeHTTP(w, r)
-		})
-	}
+	return DecompressionMiddlewareWithConfig(nil)
 }
 
 type CompressionConfig struct {
@@ -189,3 +173,37 @@ func DefaultCompressionConfig() *CompressionConfig {
 		},
 	}
 }
+
+type DecompressionConfig struct {
+	MaxDecompressedSize int64
+}
+
+func DefaultDecompressionConfig() *DecompressionConfig {
+	return &DecompressionConfig{
+		MaxDecompressedSize: 1024 * 1024, // 1MB
+	}
+}
+
+func DecompressionMiddlewareWithConfig(config *DecompressionConfig) func(http.Handler) http.Handler {
+	if config == nil {
+		config = DefaultDecompressionConfig()
+	}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.Header.Get("Content-Encoding") == "gzip" {
+				gz, err := gzip.NewReader(r.Body)
+				if err != nil {
+					http.Error(w, "Invalid gzip encoding", http.StatusBadRequest)
+					return
+				}
+				defer gz.Close()
+
+				r.Body = io.NopCloser(io.LimitReader(gz, config.MaxDecompressedSize))
+				r.Header.Del("Content-Encoding")
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}