From bf7f57be3c92a054116d1c149434ce89a90bc3ff Mon Sep 17 00:00:00 2001
From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Date: Thu, 13 Feb 2025 15:21:26 -0500
Subject: [PATCH] Set upload limits consistently

We previously checked that the content was below GitHub's 25M limit, but
this was done in the request handler. `aiohttp` _already_ checks the
content size and has a limit of 1 MiB.

Instead, set the limit for `aiohttp` and for Caddy directly. Though the
latter is redundant, it's possibly a bit more secure. Limiting upload to
the regular site is also probably redundant since it goes to
`file_server` which supports no uploads, but better to cut that off
early. CloudFlare also has a limit set, but it's to its minimum allowed
which is 100MB.
---
 templates/Caddyfile.j2 | 8 ++++++++
 webhook/webhook.py     | 6 +-----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/templates/Caddyfile.j2 b/templates/Caddyfile.j2
index 08a4e59..e456720 100644
--- a/templates/Caddyfile.j2
+++ b/templates/Caddyfile.j2
@@ -33,6 +33,10 @@ http://{{ caddy.addresses.webhook }} {
 
 	root * {{ caddy.site_dir }}
 
+	request_body {
+		max_size 25MB  # Limit from GitHub.
+	}
+
 	# https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers
 	@valid_webhook {
 		path /gh/*
@@ -85,6 +89,10 @@ http://{{ caddy.addresses.main }}, http://{{ ansible_fqdn }} {
 
 	root * {{ caddy.site_dir }}
 
+	request_body {
+		max_size 0
+	}
+
 {% for site, path in repos.items() %}
 	import subproject {{ site }} {{ path | default(site, true) }}
 {% endfor %}
diff --git a/webhook/webhook.py b/webhook/webhook.py
index 5d86d17..24ae44f 100644
--- a/webhook/webhook.py
+++ b/webhook/webhook.py
@@ -88,10 +88,6 @@ async def github_webhook(request: web.Request):
 
     We only handle ping and push events (this is enforced by the Caddyfile).
     """
-    # Verify some input parameters.
-    if request.content_length > 25_000_000:  # Limit from GitHub.
-        raise web.HTTPBadRequest(reason='Request too large')
-
     # This should be guarded against by Caddy, but check anyway.
     # https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#delivery-headers
     try:
@@ -183,7 +179,7 @@ def create_app():
     site_dir = Path(os.environ.get('SITE_DIR', 'sites')).resolve()
     assert site_dir.is_dir()
 
-    app = web.Application()
+    app = web.Application(client_max_size=25_000_000)  # Limit from GitHub.
     app['site_dir'] = site_dir
     app.add_routes([
         web.post('/gh/{repo}', github_webhook),

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/matplotlib/matplotlib.org/pull/43.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/matplotlib/matplotlib.org/pull/43.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/matplotlib/matplotlib.org/pull/43.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/matplotlib/matplotlib.org/pull/43.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>