From bf7f57be3c92a054116d1c149434ce89a90bc3ff Mon Sep 17 00:00:00 2001
From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Date: Thu, 13 Feb 2025 15:21:26 -0500
Subject: [PATCH] Set upload limits consistently

We previously checked that the content was below GitHub's 25M limit, but
this was done in the request handler. `aiohttp` _already_ checks the
content size and has a limit of 1 MiB.

Instead, set the limit for `aiohttp` and for Caddy directly. Though the
latter is redundant, it's possibly a bit more secure. Limiting upload to
the regular site is also probably redundant since it goes to
`file_server` which supports no uploads, but better to cut that off
early. CloudFlare also has a limit set, but it's to its minimum allowed
which is 100MB.
---
 templates/Caddyfile.j2 | 8 ++++++++
 webhook/webhook.py     | 6 +-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2
index 08a4e59..e456720 100644
--- a/templates/Caddyfile.j2
+++ b/templates/Caddyfile.j2
@@ -33,6 +33,10 @@ http://{{ caddy.addresses.webhook }} {
 
 	root * {{ caddy.site_dir }}
 
+	request_body {
+		max_size 25MB  # Limit from GitHub.
+	}
+
 	# https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers
 	@valid_webhook {
 		path /gh/*
@@ -85,6 +89,10 @@ http://{{ caddy.addresses.main }}, http://{{ ansible_fqdn }} {
 
 	root * {{ caddy.site_dir }}
 
+	request_body {
+		max_size 0
+	}
+
 {% for site, path in repos.items() %}
 	import subproject {{ site }} {{ path | default(site, true) }}
 {% endfor %}
diff --git a/webhook/webhook.py b/webhook/webhook.py
index 5d86d17..24ae44f 100644
--- a/webhook/webhook.py
+++ b/webhook/webhook.py
@@ -88,10 +88,6 @@ async def github_webhook(request: web.Request):
 
     We only handle ping and push events (this is enforced by the Caddyfile).
     """
-    # Verify some input parameters.
-    if request.content_length > 25_000_000:  # Limit from GitHub.
-        raise web.HTTPBadRequest(reason='Request too large')
-
     # This should be guarded against by Caddy, but check anyway.
     # https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers
     try:
@@ -183,7 +179,7 @@ def create_app():
     site_dir = Path(os.environ.get('SITE_DIR', 'sites')).resolve()
     assert site_dir.is_dir()
 
-    app = web.Application()
+    app = web.Application(client_max_size=25_000_000)  # Limit from GitHub.
     app['site_dir'] = site_dir
     app.add_routes([
         web.post('/gh/{repo}', github_webhook),